Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1607149

Summary: [downstream clone - 4.2.5] OVN network synchronization not working after replacing the RHV-M tls certificate with a commercial one
Product: Red Hat Enterprise Virtualization Manager Reporter: RHV bug bot <rhv-bugzilla-bot>
Component: ovirt-engineAssignee: Dominik Holler <dholler>
Status: CLOSED ERRATA QA Contact: msheena
Severity: high Docs Contact:
Priority: high    
Version: 4.2.4CC: danken, lsurette, mburman, msheena, Rhev-m-bugs, srevivo, tburke, trichard, ylavi
Target Milestone: ovirt-4.2.5Keywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, ovirt-provider-ovn configuration generated by engine-setup used the Manager's certificate authority in `/etc/pki/ovirt-engine/ca.pem` to verify the Manager's certificate. If the administrator replaced the TLS/SSL certificate, they also had to update the path to the new certificate authority file manually, in `/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf`. Now, ovirt-provider-ovn config generated by engine-setup uses the webserver certificate authority in `/etc/pki/ovirt-engine/apache-ca.pem` to verify the Manager's certificate. For new installations, restarting the ovirt-provider-ovn service updates the replaced certificate. For updated installations, you must manually check that `ovirt-ca-file` in `/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf` points to `/etc/pki/ovirt-engine/apache-ca.pem`.
 Story Points: ---
Clone Of: 1598131 Environment:
Last Closed: 2018-07-31 17:50:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Network RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1598131    
Bug Blocks:    

Description RHV bug bot 2018-07-22 14:51:28 UTC 
+++ This bug is a downstream clone. The original bug is: +++
+++   bug 1598131 +++
======================================================================

Description of problem:
OVN network synchronization not working after replacing the RHV-M tls certificate with a commercial one

Version-Release number of selected component (if applicable):
4.2.4

How reproducible:
always

Steps to Reproduce:
1. configure ovn as external provider
2. replace web ui certificates for custom ones
3. restart ovirt engine

Actual results:
ovn network synchronization stops with error

2018-07-03 10:20:41,888 root [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
Traceback (most recent call last):
  File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 133, in _handle_request
    method, path_parts, content)
  File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 175, in handle_request
    return self.call_response_handler(handler, content, parameters)
  File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in call_response_handler
    return response_handler(content, parameters)
  File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py", line 62, in post_tokens
    user_password=user_password)
  File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 26, in create_token
    return auth.core.plugin.create_token(user_at_domain, user_password)
  File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/plugin.py", line 48, in create_token
    timeout=self._timeout())
  File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75, in create_token
    username, password, engine_url, ca_file, timeout)
  File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 91, in _get_sso_token
    timeout=timeout
  File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 54, in wrapper
    response = func(*args, **kwargs)
  File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 47, in wrapper
    raise BadGateway(e)
BadGateway: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)


Expected results:

ovn network synchronization will continue working

Additional info:

workarround 

edit file /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf 
and change the value of ovirt-ca-file from /etc/pki/ovirt-engine/ca.pem to /etc/pki/ovirt-engine/apache-ca.pem

(Originally by Marian Jankular)
Comment 1 RHV bug bot 2018-07-22 14:51:35 UTC 
Can we use /etc/pki/ovirt-engine/apache-ca.pem instead of /etc/pki/ovirt-engine/ca.pem as suggested in https://access.redhat.com/support/cases/#/case/02133602?commentId=a0aA000000N9KkjIAF ?

(Originally by danken)
Comment 4 RHV bug bot 2018-07-22 14:51:43 UTC 
(In reply to Dan Kenigsberg from comment #1)
> Can we use /etc/pki/ovirt-engine/apache-ca.pem instead of
> /etc/pki/ovirt-engine/ca.pem as suggested in
> https://access.redhat.com/support/cases/#/case/
> 02133602?commentId=a0aA000000N9KkjIAF ?

Yes, this seems to be a nice improvement.

(Originally by Dominik Holler)
Comment 5 RHV bug bot 2018-07-22 14:51:47 UTC 
We should include the
systemctl restart ovirt-provider-ovn
in Administration Guide > Appendix D. Red Hat Virtualization and SSL

(Originally by Dominik Holler)
Comment 6 RHV bug bot 2018-07-22 14:51:52 UTC 
We should include the manual check that the admin has to ensure that
ovirt-ca-file in/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf should point to /etc/pki/ovirt-engine/apache-ca.pem
in Administration Guide > Appendix D. Red Hat Virtualization and SSL.
This helps on updated installations with old or manually changed config file.

(Originally by Dominik Holler)
Comment 8 msheena 2018-07-25 15:47:52 UTC 
verified on:
4.2.5.2-0.1.el7ev
Comment 10 errata-xmlrpc 2018-07-31 17:50:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2318