Bug 1445245 - ovirt-log-collector should use /etc/pki/ovirt-engine/apache-ca.pem instead of /etc/pki/ovirt-engine/ca.pem
Summary: ovirt-log-collector should use /etc/pki/ovirt-engine/apache-ca.pem instead of...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-log-collector
Version: 4.0.6
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: ovirt-4.2.0
: ---
Assignee: Ido Rosenzwig
QA Contact: Lukas Svaty
URL:
Whiteboard:
: 1146710 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-25 10:45 UTC by Olimp Bockowski
Modified: 2019-10-10 12:16 UTC (History)
3 users (show)

Fixed In Version: ovirt-log-collector-4.2.0-1.el7ev
Doc Type: Bug Fix
Doc Text:
Ovirt-log-collector now uses /etc/pki/ovirt-engine/apache-ca.pem as the default certificate authority. This prevents errors when the certificate authority is changed.
Clone Of:
Environment:
Last Closed: 2018-05-15 17:31:24 UTC
oVirt Team: Integration
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:1465 None None None 2018-05-15 17:32:08 UTC
oVirt gerrit 76359 'None' MERGED config: ovirt-log-collector need to use apache-ca.pem by default 2020-07-08 14:07:14 UTC

Description Olimp Bockowski 2017-04-25 10:45:03 UTC
Description of problem:
By default log collector points to: /etc/pki/ovirt-engine/ca.pem what is wrong in my honest opinion because I think it should point out to apache-ca.pem (it uses REST API so should depend on apache's cert, not ca.pem)
At the beginning (default installation)  /etc/pki/ovirt-engine/apache-ca.pem is the same as /etc/pki/ovirt-engine/ca.pem
If customer replaces RHV-M SSL certificate with his/her organization's commercially signed certificate, then he experiences an issue:

ERROR: Failure fetching information about hypervisors from API.
Error (Error): ('Error while sending HTTP request', error(60, "Peer's Certificate issuer is not recognized."))
ERROR: _get_hypervisors_from_api: ('Error while sending HTTP request', error(60, "Peer's Certificate issuer is not recognized."))


Version-Release number of selected component (if applicable):
RHV 3.x, 4.x

How reproducible:
always

Steps to Reproduce:
1. replace certificate according to:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.0/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_SSL_Certificate
2. run ovirt-log-collector

Actual results:
ERROR: Failure fetching information about hypervisors from API.
Error (Error): ('Error while sending HTTP request', error(60, "Peer's Certificate issuer is not recognized."))
ERROR: _get_hypervisors_from_api: ('Error while sending HTTP request', error(60, "Peer's Certificate issuer is not recognized."))

Expected results:
ovirt-log-collectors uses: /etc/pki/ovirt-engine/apache-ca.pem

Additional info:
There is easy fix of this problem: 
vim /etc/ovirt-engine/logcollector.conf
cert-file=/etc/pki/ovirt-engine/apache-ca.pem
But it should be by default.

Comment 2 Lukas Svaty 2017-09-07 14:57:04 UTC
verified in ovirt-log-collector-4.2.0-0.0.master.20170903141131.gitbd2607f.el7.centos.noarch

[root@ls-engine1 ~]# grep DEFAULT_CA_PEM /usr/lib/python2.7/site-packages/ovirt_log_collector/config.py
DEFAULT_CA_PEM = "/etc/pki/ovirt-engine/apache-ca.pem"

Comment 4 Lukas Svaty 2018-04-20 08:27:29 UTC
ovirt-log-collector-4.2.4-5.el7ev.noarch

Comment 8 errata-xmlrpc 2018-05-15 17:31:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1465

Comment 9 Yedidyah Bar David 2018-06-13 05:57:54 UTC
*** Bug 1146710 has been marked as a duplicate of this bug. ***

Comment 10 Franta Kust 2019-05-16 13:05:17 UTC
BZ<2>Jira Resync


Note You need to log in before you can comment on or make changes to this bug.