1637809 – ovirt-imageio-proxy should use apache's pki

Bug 1637809 - ovirt-imageio-proxy should use apache's pki

Summary: ovirt-imageio-proxy should use apache's pki

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-imageio
Classification:	oVirt
Component:	Proxy
Sub Component:
Version:	1.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	ovirt-4.3.6
Target Release:	1.5.2
Assignee:	Yedidyah Bar David
QA Contact:	Petr Matyáš
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1575979 (view as bug list)
Depends On:
Blocks:	1385617 1725734
TreeView+	depends on / blocked

Reported:	2018-10-10 07:01 UTC by Yedidyah Bar David
Modified:	2020-02-25 09:23 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ovirt-imageio-proxy-1.5.2
Clone Of:
Clones:	1725734 (view as bug list)
Environment:
Last Closed:	2019-09-26 19:43:36 UTC
oVirt Team:	Integration
Embargoed:
Flags:	rule-engine: ovirt-4.3+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
oVirt gerrit	97507	'None'	MERGED	packaging: setup: proxy: Use apache pki instead of own	2021-02-01 23:04:24 UTC
oVirt gerrit	98739	'None'	MERGED	packaging: setup: Require configuring the engine	2021-02-01 23:04:24 UTC
oVirt gerrit	102147	'None'	MERGED	spec: Require new engine	2021-02-01 23:04:24 UTC

Description Yedidyah Bar David 2018-10-10 07:01:41 UTC

Description of problem:

Please see the long discussion on bug 1385617.

If the only client to ovirt-imageio-proxy is the admin's browser, which IIUC is correct, I think by now everyone agrees it does not need its own keypair, but should use apache's.

Please make the proxy's engine-setup config plugin generate a conf file with:

ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer

We should also consider what to do on upgrades. IMO we can check if the file was changed outside of engine-setup, and if not, update it on upgrades.

Comment 1 Daniel Erez 2018-10-10 10:00:58 UTC

*** Bug 1575979 has been marked as a duplicate of this bug. ***

Comment 2 Sandro Bonazzola 2019-01-28 09:41:20 UTC

This bug has not been marked as blocker for oVirt 4.3.0.
Since we are releasing it tomorrow, January 29th, this bug has been re-targeted to 4.3.1.

Comment 3 Sandro Bonazzola 2019-07-11 07:03:33 UTC

Re-targeting to 4.3.6 not being identified as blocker for 4.3.5.

Comment 4 Yedidyah Bar David 2019-07-24 09:23:57 UTC

98739 was already merged.

98403 is for the engine, bug 1687301.

95408 is also for the engine, and we need it. I'll push another patch to require a new engine.

Comment 5 Petr Matyáš 2019-08-26 10:59:25 UTC

Verified on ovirt-engine-4.3.6.3-0.1.el7.noarch

Comment 6 Sandro Bonazzola 2019-09-26 19:43:36 UTC

This bugzilla is included in oVirt 4.3.6 release, published on September 26th 2019.

Since the problem described in this bug report should be
resolved in oVirt 4.3.6 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.