Bug 1576377 - engine-setup rewrites SSL*File options
Summary: engine-setup rewrites SSL*File options
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Setup.Engine
Version: 4.2.3.5
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ovirt-4.2.4
: ---
Assignee: Yedidyah Bar David
QA Contact: Lucie Leistnerova
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-09 10:14 UTC by Yedidyah Bar David
Modified: 2018-06-26 08:41 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
engine-setup now checks if apache httpd's ssl.conf file needs updates also on upgrades, prompts accordingly, and applies the updates as needed. Now, only parameters that actually require a change are changed - specifically, manual user changes to SSL certificates are not overridden. doc team: Please see bug 1558500 and comment 0 of current. Copied doc text from that bug and added a statement. Feel free to rewrite however you find best. Also, "parameters that actually require a change" are currently only a single one, "SSLProtocol". So if you want to be more specific than we tried to be in the past (and in the code), it's enough to: engine-setup now only updates SSLProtocol in apache httpd's ssl.conf file, if needed, and not other parameters.
Clone Of:
Environment:
Last Closed: 2018-06-26 08:41:53 UTC
oVirt Team: Integration
rule-engine: ovirt-4.2+
rule-engine: exception+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 91829 0 master MERGED packaging: setup: Keep some httpd params on update 2020-03-09 15:00:37 UTC
oVirt gerrit 91878 0 ovirt-engine-4.2 MERGED packaging: setup: Keep some httpd params on update 2020-03-09 15:00:37 UTC

Description Yedidyah Bar David 2018-05-09 10:14:02 UTC
Description of problem:

See bug 1558500.

This means also that a sysadmin changing ssl.conf after setup to use custom certs (probably signed by a 3rd party CA), gets these changes overwritten back to engine-setup's default, which is the internal CA.

This was first reported on the thread starting with:

https://lists.ovirt.org/archives/list/users@ovirt.org/thread/FSREE7KQOZ32IWSYTGIQ5JIJFQM25BV3/

(Current archive seems to not be up-to-date so does not include latest relevent emails).

Version-Release number of selected component (if applicable):

4.2.3

How reproducible:

Always

Steps to Reproduce:
1. Install and setup a 4.1 engine, as in bug 1558500.
2. Manually configure 3rd-party CA certs for apache httpd in ssl.conf
3. Upgrade to 4.2.3

Actual results:

Manual changes to SSLCertificateFile, SSLCertificateKeyFile or SSLCACertificateFile done in step (2.) are reverted

Expected results:

Only changes to SSLProtocol and CustomLog options are done, but not to the SSL*File options.

Additional info:

Comment 1 Lucie Leistnerova 2018-06-12 09:26:12 UTC
engine-setup asks for changes in ssl.conf and then changes only SSLProtocol, CustomLog. SSLCertificate settings are unchanged.

verified in ovirt-engine-setup-4.2.4.2-0.1.el7_3.noarch

Comment 2 Sandro Bonazzola 2018-06-26 08:41:53 UTC
This bugzilla is included in oVirt 4.2.4 release, published on June 26th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.4 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.