As you know "Internal engine certificate" should be manually installed in Browser. There are at least two cases for this: 1. Browser-Based Console Clients (SPICE-HTML5 and noVNC). 2. Qcow2 image uploader. This certificate can be downloaded from: http://<engine_url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA Problem is: current ovirt certificate doesn't have "X509v3 Subject Alternative Name" entry: curl -k 'https://<hostname>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA' | openssl x509 -text | grep -i 'Subject Alternative Name' The certificate must be generated with "X509v3 Subject Alternative Name" extension, like next certificate: openssl x509 -in some.crt -text X509v3 extensions: .... X509v3 Subject Alternative Name: DNS:fully.qualified.domain.name.com Chrome 58 cannot upload any qcow2 image, even browser was told to trust engine certificate. https://www.chromestatus.com/features/4981025180483584 This follows a similar change in Firefox 48.
Interesting, I believe we've had it ages ago... Especially for IE actually.
*** Bug 1450629 has been marked as a duplicate of this bug. ***
Didi, isn't this a dup of a bug you're already looking into?
(In reply to Allon Mureinik from comment #3) > Didi, isn't this a dup of a bug you're already looking into? Yes, and Yaniv closed it as dup of current, see above. I tend to do the opposite and close current, because I prefer having a bug per each specific issue, but I admit I didn't yet actually try chrome, so not sure about its behavior. Specifically, comment 0 mixes ca cert with https cert. I do not think chrome requires SAN for the ca cert, but didn't try yet.
*** This bug has been marked as a duplicate of bug 1450629 ***