Red Hat Bugzilla – Bug 1459569
RHV provider does not trust certificate authorities from the system CA database
Last modified: 2018-03-06 10:22:40 EST
Description of problem:
Add RHV provider with 'Verify TLS Certificates' ON,
The 'Trusted CA Certificates' is not taken from CFME, though it is saved there.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
On CFME, as root user:
1. scp root@<engine fqdn>:/etc/pki/ovirt-engine/ca.pem /etc/pki/ca-trust/source/anchors/<engine fqdn>.ca.crt
3. Add RHV provider with 'Verify TLS Certificates' ON, but leave the 'Trusted CA Certificates' empty.
4. Press on 'Validate' button
Validation fail with error in UI (See attached "validate_error" screenshot).
Provider validation should succeed.
Certificate should be taken from the one saved on CFME machine.
If pasting the content of <engine fqdn>:/etc/pki/ovirt-engine/ca.pem in UI 'Trusted CA Certificates' field, Provider Validation is successful.
** This is blocking CFME/RHV provider automation tests from running with TLS ON.
Created attachment 1285799 [details]
Look for ERROR from the bottom of the log.
Please assess the importance of this issue and update the priority accordingly. Somewhere it was missed in the bug triage process. Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#priority for a reminder on each priority's definition.
If it's something like a tracker bug where it doesn't matter, please set it to Low/Low.
Note that the issue is that the RHV provider doesn't trust the certificate authorities that are registered in the system certificate database, it only trusts the certificate authorities provided explicitly in the form used to add the provider. If nothing is provided in that form, then the provider doesn't trust anything. So the provider is actually more strict than it should. Most RHV installations use a self-signed certificate authority, so this isn't a big issue because it is easier (for the CFME admin) to paste that self-signed certificate in the form than to add it to the system certificate database. For this reason I am lowering the severity.
This issue is addressed by the following pull request:
Use nil ca_certs to trust system CAs
See the description of that pull request for information about how to verify the issue.
In particular note that the library used by the 'ovirt-engine-sdk' gem doesn't reload the system CA database. That means that in order to test this using version 4 of the RHV API the CFME appliance needs to be restarted after adding the RHV CA certificate to the system CA database.
Verified that after following Steps to Reproduce, provider verification succeeds.
CFME 188.8.131.52, RHV 4.1.3