Description of problem: By Default, the RHV uses self signed cert for HTTPS and Ovirt-engine stuff(talking to hypervisors internally). But, when User decides to only update the HTTPS with his own organization CA, the satellite fetches wrong CACERT from RHV Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Have a RHV using custom cert, (Not self signed) for HTTPS 2. Try to add the RHV as compute resource 3. Actual results: Unable to save ERF56-1309 [Foreman::FingerprintException]: The remote system presented a public key signed by an unidentified certificate authority. If you are sure the remote system is authentic, go to the compute resource edit page, press the 'Test Connection' or 'Load Datacenters' button and submit ERF56-1309 [Foreman::FingerprintException]: The remote system presented a public key signed by an unidentified certificate authority. If you are sure the remote system is authentic, go to the compute resource edit page, press the 'Test Connection' or 'Load Datacenters' button and submit Expected results: It should Fetch the updated CA cert from RHV Additional info: Only workaround possible is from UI When adding RHV CA , there is a X509 Certification Authorities field where user can paste the content of cert and then Click "Load Datacenters"
Please note, the field description says "Optionally provide a CA, or a correctly ordered CA chain. If left blank, a self-signed CA will be populated automatically by the server during the first request." However, I would expect the Satellite to download the cert that is actually used so the current behavior seems undesirable to me.
*** This bug has been marked as a duplicate of bug 1602835 ***
Ido, I don't think these are duplicates. This bug is about Foreman not fetching custom cert when clicking 'Load Datacenters' in the WUI (whether it is a bug or not is another issue) while the other bug is about API not supporting manual CAcert specification. However, bug 1343391 appears to be related.
okay reopened it, i misread the issue, sorry
At the moment, when creating ovirt compute resource the behavior is the following : - If there is no custom certificate - It will fetch the self-signed certificate from here: http://${OVIRT}/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA - If there is a custom certificate - then the the custom ca is not fetched. and nothing filled at the CA input. The reason you are are receiving an error is because you are entering a wrong CA. you are putting the self signed ca and not the custom one. please, try to download the root ca: in chrome: 1. Go to ovirt UL 2. Next to ovirt URL, in the left side you have a lock icon, click on it 3. click on certificate 4. click on the 'Details' Tab 5. Under the Certificate Hierarchy select the first one 6. Export
Yes, the reason for filling the issue , is to address the same behaviour as mentioned in comment #10 . Satellite Should be able to fetch the correct CA cert, while adding RHV compute resource. We can switch the bug to an RFE to track this.
Sanket, please change the bug to RFE, thanks.
Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this, please do not reopen. Instead, feel free to contact Red Hat Technical Support. Thank you.