+++ This bug was initially created as a clone of Bug #1637809 +++ Description of problem: Please see the long discussion on bug 1385617. If the only client to ovirt-imageio-proxy is the admin's browser, which IIUC is correct, I think by now everyone agrees it does not need its own keypair, but should use apache's. Please make the proxy's engine-setup config plugin generate a conf file with: ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer We should also consider what to do on upgrades. IMO we can check if the file was changed outside of engine-setup, and if not, update it on upgrades. --- Additional comment from Daniel Erez on 2018-10-10 10:00:58 UTC --- --- Additional comment from Sandro Bonazzola on 2019-01-28 09:41:20 UTC --- This bug has not been marked as blocker for oVirt 4.3.0. Since we are releasing it tomorrow, January 29th, this bug has been re-targeted to 4.3.1.
Re-targeting to 4.3.6 not being identified as blocker for 4.3.5.
Hi Yedidyah, Can you please provide a clear scenario on how to verify this bug?
(In reply to Avihai from comment #5) > Hi Yedidyah, > > Can you please provide a clear scenario on how to verify this bug? Something like: 1. Setup an engine, host(s), storage 2. Import the engine's CA cert to your browser (preferably a new browser profile for testing) 3. Verify that image upload from the UI works 4. Follow the procedure to use a 3rd-party CA [1] 5. Restart ovirt-imageio-proxy 6. Import the 3rd-party CA to your browser 7. Verify that image upload works 8. For extra points: Follow the rename procedure [2], try image upload, and open more bugs if needed. Once you do that, you also verify bug 1385617. There, we'll add step 5 above to the procedure [1]. For creating a CA for testing, if you do not know/have other means, you can see bug 1687301 which I helped you verify. [1] https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.3/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_CA_Certificate [2] https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.3/html/administration_guide/chap-utilities#sect-The_oVirt_Engine_Rename_Tool
(In reply to Yedidyah Bar David from comment #6) > For creating a CA for testing, if you do not know/have other means, you can > see bug 1687301 which I helped you verify. (Well, not you, but Yosi, who is the qe owner of both...)
Verified on ovirt-engine-4.3.6.3-0.1.el7.noarch
sync2jira
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3015