Bug 1637809 - ovirt-imageio-proxy should use apache's pki
Summary: ovirt-imageio-proxy should use apache's pki
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-imageio
Classification: oVirt
Component: Proxy
Version: 1.1.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ovirt-4.3.6
: 1.5.2
Assignee: Yedidyah Bar David
QA Contact: Petr Matyáš
URL:
Whiteboard:
: 1575979 (view as bug list)
Depends On:
Blocks: 1385617 1725734
TreeView+ depends on / blocked
 
Reported: 2018-10-10 07:01 UTC by Yedidyah Bar David
Modified: 2020-02-25 09:23 UTC (History)
8 users (show)

Fixed In Version: ovirt-imageio-proxy-1.5.2
Doc Type: Bug Fix
Doc Text:
Doc team: Please see the discussion on doc bug 1385617. Copying the commit message text of the main patch for current bug, which explains what the patch does. As is common in git commits, this is in imperative style, not doc style. Feel free to keep content but convert style, or write your own. With this bug fixed, the change for doc bug 1385617 will be just a single small item (to restart the proxy). Commit message follows: packaging: setup: proxy: Use apache pki instead of own Use apache httpd key/cert/ca_cert instead of engine-ca-generated ones. This should make it easier to use: - If using engine-ca for apache, user most likely already approved it in the browser when logging in, so will not have to handle again for imageio. - If using 3rd party CA for apache, CA cert likely already added to the browser. In a normal upgrade, where the user didn't touch the conf manually, notify the user and update the proxy conf. In an upgrade where the user changed the conf manually after setup, create a new file with a different name and notify the user, suggesting to check the diff and update. In an upgrade where the user changed the conf manually after setup, but changed it to have the content we want it to have with current patch, only log, but still "update" the file, so that a following setup or especially cleanup will consider the file "ok" (not changed manually). The only case that will be broken by current patch is if a user needs, for some reason, two different certs for the two different https services on two different ports, on the engine machine. In a discussion in bugzilla it was decided that this is not an issue.
Clone Of:
: 1725734 (view as bug list)
Environment:
Last Closed: 2019-09-26 19:43:36 UTC
oVirt Team: Integration
Embargoed:
rule-engine: ovirt-4.3+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 97507 0 'None' MERGED packaging: setup: proxy: Use apache pki instead of own 2021-02-01 23:04:24 UTC
oVirt gerrit 98739 0 'None' MERGED packaging: setup: Require configuring the engine 2021-02-01 23:04:24 UTC
oVirt gerrit 102147 0 'None' MERGED spec: Require new engine 2021-02-01 23:04:24 UTC

Description Yedidyah Bar David 2018-10-10 07:01:41 UTC 
Description of problem:

Please see the long discussion on bug 1385617.

If the only client to ovirt-imageio-proxy is the admin's browser, which IIUC is correct, I think by now everyone agrees it does not need its own keypair, but should use apache's.

Please make the proxy's engine-setup config plugin generate a conf file with:

ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer

We should also consider what to do on upgrades. IMO we can check if the file was changed outside of engine-setup, and if not, update it on upgrades.
Comment 1 Daniel Erez 2018-10-10 10:00:58 UTC 
*** Bug 1575979 has been marked as a duplicate of this bug. ***
Comment 2 Sandro Bonazzola 2019-01-28 09:41:20 UTC 
This bug has not been marked as blocker for oVirt 4.3.0.
Since we are releasing it tomorrow, January 29th, this bug has been re-targeted to 4.3.1.
Comment 3 Sandro Bonazzola 2019-07-11 07:03:33 UTC 
Re-targeting to 4.3.6 not being identified as blocker for 4.3.5.
Comment 4 Yedidyah Bar David 2019-07-24 09:23:57 UTC 
98739 was already merged.

98403 is for the engine, bug 1687301.

95408 is also for the engine, and we need it. I'll push another patch to require a new engine.
Comment 5 Petr Matyáš 2019-08-26 10:59:25 UTC 
Verified on ovirt-engine-4.3.6.3-0.1.el7.noarch
Comment 6 Sandro Bonazzola 2019-09-26 19:43:36 UTC 
This bugzilla is included in oVirt 4.3.6 release, published on September 26th 2019.

Since the problem described in this bug report should be
resolved in oVirt 4.3.6 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.
Note You need to log in before you can comment on or make changes to this bug.