+++ This bug is an upstream to downstream clone. The original bug is: +++ +++ bug 1763084 +++ ====================================================================== We currently put Hostname/IP into Common Name (CN) in the host certificate subject. This is not good for two reasons: - Using CN for host name matching in certificates is obsolete and should be no longer used [1]. - CN may not contain an IP address. In the latter case, migrations don't work on el8 since libvirt refuses to connect to a destination host having invalid data in its certificate. The correct way to handle the certificates is to put the host name or IP addresses to the Subject Alternative Name [2]. This is what this patch does. [1] http://wiki.cacert.org/FAQ/subjectAltName [2] https://libvirt.org/remote.html#Remote_TLS_server_certificates (Originally by Martin Perina)
The in ovirt-host-deploy is not needed to cover adding a new host or reinstall existing, we are OK with engine fix only. *** This bug has been marked as a duplicate of bug 1763109 ***