Description of problem: OVN network synchronization not working after replacing the RHV-M tls certificate with a commercial one Version-Release number of selected component (if applicable): 4.2.4 How reproducible: always Steps to Reproduce: 1. configure ovn as external provider 2. replace web ui certificates for custom ones 3. restart ovirt engine Actual results: ovn network synchronization stops with error 2018-07-03 10:20:41,888 root [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) Traceback (most recent call last): File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 133, in _handle_request method, path_parts, content) File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 175, in handle_request return self.call_response_handler(handler, content, parameters) File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in call_response_handler return response_handler(content, parameters) File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py", line 62, in post_tokens user_password=user_password) File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 26, in create_token return auth.core.plugin.create_token(user_at_domain, user_password) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/plugin.py", line 48, in create_token timeout=self._timeout()) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75, in create_token username, password, engine_url, ca_file, timeout) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 91, in _get_sso_token timeout=timeout File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 54, in wrapper response = func(*args, **kwargs) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 47, in wrapper raise BadGateway(e) BadGateway: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) Expected results: ovn network synchronization will continue working Additional info: workarround edit file /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf and change the value of ovirt-ca-file from /etc/pki/ovirt-engine/ca.pem to /etc/pki/ovirt-engine/apache-ca.pem
Can we use /etc/pki/ovirt-engine/apache-ca.pem instead of /etc/pki/ovirt-engine/ca.pem as suggested in https://access.redhat.com/support/cases/#/case/02133602?commentId=a0aA000000N9KkjIAF ?
(In reply to Dan Kenigsberg from comment #1) > Can we use /etc/pki/ovirt-engine/apache-ca.pem instead of > /etc/pki/ovirt-engine/ca.pem as suggested in > https://access.redhat.com/support/cases/#/case/ > 02133602?commentId=a0aA000000N9KkjIAF ? Yes, this seems to be a nice improvement.
We should include the systemctl restart ovirt-provider-ovn in Administration Guide > Appendix D. Red Hat Virtualization and SSL
We should include the manual check that the admin has to ensure that ovirt-ca-file in/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf should point to /etc/pki/ovirt-engine/apache-ca.pem in Administration Guide > Appendix D. Red Hat Virtualization and SSL. This helps on updated installations with old or manually changed config file.
Verified on: 4.3.0-0.0.master.20180928133328.git50c4de4.el7 ovirt-provider-ovn-1.2.16-0.20180927112927.git2c9d1d9.el7.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:1085