Bug 1607149 – [downstream clone - 4.2.5] OVN network synchronization not working after replacing the RHV-M tls certificate with a commercial one

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1607149 - [downstream clone - 4.2.5] OVN network synchronization not working after replacing the RHV-M tls certificate with a commercial one

Summary:	[downstream clone - 4.2.5] OVN network synchronization not working after repl...

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine (Show other bugs)
Sub Component:
Version:	4.2.4
Hardware:	Unspecified Unspecified

Priority	high Severity high
Target Milestone:	ovirt-4.2.5
Target Release:	---
Assigned To:	Dominik Holler
QA Contact:	msheena
Docs Contact:

URL:
Whiteboard:
Keywords:	ZStream

Depends On:	1598131
Blocks:
	Show dependency tree / graph

Reported:	2018-07-22 10:51 EDT by RHV Bugzilla Automation and Verification Bot
Modified:	2018-08-06 04:56 EDT (History)
CC List:	10 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Previously, ovirt-provider-ovn configuration generated by engine-setup used the Manager's certificate authority in `/etc/pki/ovirt-engine/ca.pem` to verify the Manager's certificate. If the administrator replaced the TLS/SSL certificate, they also had to update the path to the new certificate authority file manually, in `/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf`. Now, ovirt-provider-ovn config generated by engine-setup uses the webserver certificate authority in `/etc/pki/ovirt-engine/apache-ca.pem` to verify the Manager's certificate. For new installations, restarting the ovirt-provider-ovn service updates the replaced certificate. For updated installations, you must manually check that `ovirt-ca-file` in `/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf` points to `/etc/pki/ovirt-engine/apache-ca.pem`.
Story Points:	---
Clone Of:	1598131
Environment:
Last Closed:	2018-07-31 13:50:11 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	Network
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
oVirt gerrit	93049	master	MERGED	packaging: setup: ovn: change path to oVirt ca	2018-07-22 10:52 EDT
oVirt gerrit	93085	ovirt-engine-4.2	MERGED	packaging: setup: ovn: change path to oVirt ca	2018-07-22 10:52 EDT
Red Hat Product Errata	RHBA-2018:2318	None	None	None	2018-07-31 13:50 EDT

Groups: None (edit)

Description RHV Bugzilla Automation and Verification Bot 2018-07-22 10:51:28 EDT

+++ This bug is a downstream clone. The original bug is: +++
+++   bug 1598131 +++
======================================================================

Description of problem:
OVN network synchronization not working after replacing the RHV-M tls certificate with a commercial one

Version-Release number of selected component (if applicable):
4.2.4

How reproducible:
always

Steps to Reproduce:
1. configure ovn as external provider
2. replace web ui certificates for custom ones
3. restart ovirt engine

Actual results:
ovn network synchronization stops with error

2018-07-03 10:20:41,888 root [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
Traceback (most recent call last):
  File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 133, in _handle_request
    method, path_parts, content)
  File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 175, in handle_request
    return self.call_response_handler(handler, content, parameters)
  File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in call_response_handler
    return response_handler(content, parameters)
  File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py", line 62, in post_tokens
    user_password=user_password)
  File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 26, in create_token
    return auth.core.plugin.create_token(user_at_domain, user_password)
  File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/plugin.py", line 48, in create_token
    timeout=self._timeout())
  File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75, in create_token
    username, password, engine_url, ca_file, timeout)
  File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 91, in _get_sso_token
    timeout=timeout
  File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 54, in wrapper
    response = func(*args, **kwargs)
  File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 47, in wrapper
    raise BadGateway(e)
BadGateway: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)


Expected results:

ovn network synchronization will continue working

Additional info:

workarround 

edit file /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf 
and change the value of ovirt-ca-file from /etc/pki/ovirt-engine/ca.pem to /etc/pki/ovirt-engine/apache-ca.pem

(Originally by Marian Jankular)

Comment 1 RHV Bugzilla Automation and Verification Bot 2018-07-22 10:51:35 EDT

Can we use /etc/pki/ovirt-engine/apache-ca.pem instead of /etc/pki/ovirt-engine/ca.pem as suggested in https://access.redhat.com/support/cases/#/case/02133602?commentId=a0aA000000N9KkjIAF ?

(Originally by danken)

Comment 4 RHV Bugzilla Automation and Verification Bot 2018-07-22 10:51:43 EDT

(In reply to Dan Kenigsberg from comment #1)
> Can we use /etc/pki/ovirt-engine/apache-ca.pem instead of
> /etc/pki/ovirt-engine/ca.pem as suggested in
> https://access.redhat.com/support/cases/#/case/
> 02133602?commentId=a0aA000000N9KkjIAF ?

Yes, this seems to be a nice improvement.

(Originally by Dominik Holler)

Comment 5 RHV Bugzilla Automation and Verification Bot 2018-07-22 10:51:47 EDT

We should include the
systemctl restart ovirt-provider-ovn
in Administration Guide > Appendix D. Red Hat Virtualization and SSL

(Originally by Dominik Holler)

Comment 6 RHV Bugzilla Automation and Verification Bot 2018-07-22 10:51:52 EDT

We should include the manual check that the admin has to ensure that
ovirt-ca-file in/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf should point to /etc/pki/ovirt-engine/apache-ca.pem
in Administration Guide > Appendix D. Red Hat Virtualization and SSL.
This helps on updated installations with old or manually changed config file.

(Originally by Dominik Holler)

Comment 8 msheena 2018-07-25 11:47:52 EDT

verified on:
4.2.5.2-0.1.el7ev

Comment 10 errata-xmlrpc 2018-07-31 13:50:11 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2318

Note You need to log in before you can comment on or make changes to this bug.