1791240 – [RFE] Make the rhv-cafile optional

Bug 1791240 - [RFE] Make the rhv-cafile optional

Summary: [RFE] Make the rhv-cafile optional

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux Advanced Virtualization
Classification:	Red Hat
Component:	libguestfs
Sub Component:
Version:	8.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	8.0
Assignee:	Richard W.M. Jones
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:	V2V
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-01-15 10:07 UTC by Fabien Dupont
Modified:	2020-05-05 09:57 UTC (History)
CC List:	8 users (show)
Fixed In Version:	libguestfs-1.40.2-21.module+el8.2.0+5851+8d6a931b
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-05-05 09:55:51 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:2017	0	None	None	None	2020-05-05 09:57:21 UTC

Description Fabien Dupont 2020-01-15 10:07:40 UTC

Description of problem:

Currently, the rhv-cafile option is mandatory if rhv-verifypeer option is enabled. However, if the certificate is present in the global trust store (/etc/pki/ca-trust), the ovirtsdk4 library uses it.

IMHO, it shouldn't be mandatory, but the error generate when ovirtsdk4 connection fails should mention that the rhv-cafile allows specifying a non standard path for the CA bundle.

Comment 1 Richard W.M. Jones 2020-01-15 13:55:09 UTC

https://www.redhat.com/archives/libguestfs/2020-January/msg00114.html

Comment 2 Richard W.M. Jones 2020-01-16 15:07:04 UTC

Upstream in virt-v2v commit 65ee9387d4be0e3c5cd214b967fef7a1a8841233.

I have set ITR to 8.2.0 since this appears like a simple enough fix for
AV 8.2, but feel free to move this later if it's too difficult to do so
soon.

Comment 3 Nir Soffer 2020-01-16 23:12:57 UTC

(In reply to Fabien Dupont from comment #0)
> Description of problem:
> 
> Currently, the rhv-cafile option is mandatory if rhv-verifypeer option is
> enabled. However, if the certificate is present in the global trust store
> (/etc/pki/ca-trust), the ovirtsdk4 library uses it.

How do you know if the certificate is present in the global store?

If it is not, and you don't specify the file, accessing engine and imageio server
will fail.

> IMHO, it shouldn't be mandatory, but the error generate when ovirtsdk4
> connection fails should mention that the rhv-cafile allows specifying a non
> standard path for the CA bundle.

Can you explain why cafile should not be mandatory? Do we have a problem to
get the cafile and make it available where virt-v2v run?

Comment 4 Fabien Dupont 2020-01-17 07:58:18 UTC

(In reply to Nir Soffer from comment #3)
> (In reply to Fabien Dupont from comment #0)
> > Description of problem:
> > 
> > Currently, the rhv-cafile option is mandatory if rhv-verifypeer option is
> > enabled. However, if the certificate is present in the global trust store
> > (/etc/pki/ca-trust), the ovirtsdk4 library uses it.
> 
> How do you know if the certificate is present in the global store?

I don't know. Basically, the certificate can be installed by:

# cp my_ca.pem /etc/pki/ca-trust/source/anchors/
# update-ca-trust extract
# rm /etc/pki/ca-trust/source/anchors/ca.pem

The certificate is then in different formats in /etc/pki/ca-trust-extracted.
 
> If it is not, and you don't specify the file, accessing engine and imageio
> server
> will fail.

So, we could check, or let it fail with a proper error message saying that
the certificate could not be verified and pointing to rhv-cafile option.
 
> > IMHO, it shouldn't be mandatory, but the error generate when ovirtsdk4
> > connection fails should mention that the rhv-cafile allows specifying a non
> > standard path for the CA bundle.
> 
> Can you explain why cafile should not be mandatory? Do we have a problem to
> get the cafile and make it available where virt-v2v run?

That's the point of having a global CA trust. It allows to not specify the
CA certificate path while still enjoying proper verification. IMHO, providing
the CA certificate on the command line is a workaround when you don't have
privileges to update the global trust store.

Comment 5 Richard W.M. Jones 2020-01-17 08:45:36 UTC

You don't know, but either the user should add it to the global store
or they should use rhv-cafile.  It's not really possible for virt-v2v
to check this, but it does say what to do in the manual, and this is
handled automatically by IMS.

By far the vast majority of direct command line users will turn off
certificate checking anyway because X.509 is a giant PITA.

Comment 8 mxie@redhat.com 2020-02-25 16:53:48 UTC

Verify the bug with builds:
virt-v2v-1.40.2-21.module+el8.2.0+5851+8d6a931b.x86_64
libguestfs-1.40.2-21.module+el8.2.0+5851+8d6a931b.x86_64
libvirt-6.0.0-6.module+el8.2.0+5821+109ee33c.x86_64
qemu-kvm-4.2.0-12.module+el8.2.0+5858+afd073bc.x86_64
nbdkit-1.16.2-2.module+el8.2.0+5664+dd92f997.x86_64
python3-ovirt-engine-sdk4-4.2.9-4.el8ost.x86_64

Steps:
1. Check virt-v2v-output-rhv man page about option rhv-cafile and rhv-verifypeer
     -oo rhv-cafile=ca.pem
           The ca.pem file (Certificate Authority), copied from /etc/pki/ovirt-engine/ca.pem on the
           oVirt engine.

           If -oo rhv-verifypeer is enabled then this option can be used to control which CA is used
           to verify the client’s identity.  If this option is not used then the system’s global
           trust store is used.
     -oo rhv-verifypeer
           Verify the oVirt/RHV server’s identity by checking the server‘s certificate against the
           Certificate Authority.


2. Convert a guest from VMware to rhv by virt-v2v, no rhv-cafile and no certificate present in global trust store but set rhv-verifypeer=true in command line

# virt-v2v -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1 -it vddk -io vddk-libdir=/home/vmware-vix-disklib-distrib -io vddk-thumbprint=1F:97:34:5F:B6:C2:BA:66:46:CB:1A:71:76:7D:6B:50:1E:03:00:EA -o rhv-upload  -oc https://ibm-x3250m5-03.rhts.eng.pek2.redhat.com/ovirt-engine/api -op /home/rhvpasswd  -b ovirtmgmt --password-file /home/passwd -of raw -oo rhv-cluster=Default -os nfs_data  esx6.7-rhel8.1-x86_64 -oo rhv-verifypeer=true
Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 381, in authenticate
    self._sso_token = self._get_access_token()
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 617, in _get_access_token
    sso_response = self._get_sso_response(self._sso_url, post_data)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 694, in _get_sso_response
    curl.perform()
pycurl.error: (60, 'SSL certificate problem: self signed certificate in certificate chain')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/var/tmp/v2v.fbm2KP/rhv-upload-precheck.py", line 67, in <module>
    case_sensitive=True,
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/services.py", line 5879, in list
    return self._internal_get(headers, query, wait)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/service.py", line 202, in _internal_get
    context = self._connection.send(request)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 370, in send
    return self.__send(request)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 388, in __send
    self.authenticate()
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 384, in authenticate
    self.__parse_error(e)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 932, in __parse_error
    six.reraise(clazz, clazz(error_msg), sys.exc_info()[2])
  File "/usr/lib/python3.6/site-packages/six.py", line 692, in reraise
    raise value.with_traceback(tb)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 381, in authenticate
    self._sso_token = self._get_access_token()
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 617, in _get_access_token
    sso_response = self._get_sso_response(self._sso_url, post_data)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 694, in _get_sso_response
    curl.perform()
ovirtsdk4.Error: Error while sending HTTP request: (60, 'SSL certificate problem: self signed certificate in certificate chain')
virt-v2v: error: failed server prechecks, see earlier errors

If reporting bugs, run virt-v2v with debugging enabled and include the 
complete output:

  virt-v2v -v -x [...]


3.Convert a guest from VMware to rhv by virt-v2v, make certificate present in global trust store and set rhv-verifypeer=true in command line.
3.1 Make certificate present in global trust store
# cp /home/ca.pem /etc/pki/ca-trust/source/anchors/
# update-ca-trust extract

3.2 Convert a guest from VMware to rhv by virt-v2v, set rhv-verifypeer=true in command line
# virt-v2v -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1 -it vddk -io vddk-libdir=/home/vmware-vix-disklib-distrib -io vddk-thumbprint=1F:97:34:5F:B6:C2:BA:66:46:CB:1A:71:76:7D:6B:50:1E:03:00:EA -o rhv-upload  -oc https://ibm-x3250m5-03.rhts.eng.pek2.redhat.com/ovirt-engine/api -op /home/rhvpasswd  -b ovirtmgmt --password-file /home/passwd -of raw -oo rhv-cluster=Default -os nfs_data  esx6.7-rhel8.1-x86_64 -oo rhv-verifypeer=true
[   0.6] Opening the source -i libvirt -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1 esx6.7-rhel8.1-x86_64 -it vddk  -io vddk-libdir=/home/vmware-vix-disklib-distrib -io vddk-thumbprint=1F:97:34:5F:B6:C2:BA:66:46:CB:1A:71:76:7D:6B:50:1E:03:00:EA
[   2.6] Creating an overlay to protect the source from being modified
[   5.8] Opening the overlay
[  13.2] Inspecting the overlay
[  26.0] Checking for sufficient free disk space in the guest
[  26.0] Estimating space required on target for each disk
[  26.0] Converting Red Hat Enterprise Linux 8.1 Beta (Ootpa) to run on KVM
virt-v2v: warning: guest tools directory ‘linux/el8’ is missing from 
the virtio-win directory or ISO.

Guest tools are only provided in the RHV Guest Tools ISO, so this can 
happen if you are using the version of virtio-win which contains just the 
virtio drivers.  In this case only virtio drivers can be installed in the 
guest, and installation of Guest Tools will be skipped.
virt-v2v: This guest has virtio drivers installed.
[ 126.9] Mapping filesystem data to avoid copying unused and blank areas
[ 127.6] Closing the overlay
[ 127.9] Assigning disks to buses
[ 127.9] Checking if the guest needs BIOS or UEFI to boot
[ 127.9] Initializing the target -o rhv-upload -oc https://ibm-x3250m5-03.rhts.eng.pek2.redhat.com/ovirt-engine/api -op /home/rhvpasswd -os nfs_data
[ 129.2] Copying disk 1/1 to qemu URI json:{ "file.driver": "nbd", "file.path": "/var/tmp/rhvupload.1Vw9es/nbdkit0.sock", "file.export": "/" } (raw)
^C  (2.02/100%)

4. Delete certificate in global trust store, set correct rhv-cafile and rhv-verifypeer=true in command line to convert a guest from VMware to rhv by virt-v2v
4.1  Delete certificate present in the global store
# rm /etc/pki/ca-trust/source/anchors/ca.pem 
# update-ca-trust extract

4.2  # virt-v2v -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1 -it vddk -io vddk-libdir=/home/vmware-vix-disklib-distrib -io vddk-thumbprint=1F:97:34:5F:B6:C2:BA:66:46:CB:1A:71:76:7D:6B:50:1E:03:00:EA -o rhv-upload  -oc https://ibm-x3250m5-03.rhts.eng.pek2.redhat.com/ovirt-engine/api -op /home/rhvpasswd  -b ovirtmgmt --password-file /home/passwd -of raw -oo rhv-cluster=Default -os nfs_data  esx6.7-rhel8.1-x86_64 -oo rhv-verifypeer=true -oo rhv-cafile=/home/ca.pem
[   0.6] Opening the source -i libvirt -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1 esx6.7-rhel8.1-x86_64 -it vddk  -io vddk-libdir=/home/vmware-vix-disklib-distrib -io vddk-thumbprint=1F:97:34:5F:B6:C2:BA:66:46:CB:1A:71:76:7D:6B:50:1E:03:00:EA
[   2.6] Creating an overlay to protect the source from being modified
[   5.8] Opening the overlay
[  13.1] Inspecting the overlay
[  26.0] Checking for sufficient free disk space in the guest
[  26.0] Estimating space required on target for each disk
[  26.0] Converting Red Hat Enterprise Linux 8.1 Beta (Ootpa) to run on KVM
virt-v2v: warning: guest tools directory ‘linux/el8’ is missing from 
the virtio-win directory or ISO.

Guest tools are only provided in the RHV Guest Tools ISO, so this can 
happen if you are using the version of virtio-win which contains just the 
virtio drivers.  In this case only virtio drivers can be installed in the 
guest, and installation of Guest Tools will be skipped.
virt-v2v: This guest has virtio drivers installed.
[ 126.4] Mapping filesystem data to avoid copying unused and blank areas
[ 127.2] Closing the overlay
[ 127.5] Assigning disks to buses
[ 127.5] Checking if the guest needs BIOS or UEFI to boot
[ 127.5] Initializing the target -o rhv-upload -oc https://ibm-x3250m5-03.rhts.eng.pek2.redhat.com/ovirt-engine/api -op /home/rhvpasswd -os nfs_data
[ 128.7] Copying disk 1/1 to qemu URI json:{ "file.driver": "nbd", "file.path": "/var/tmp/rhvupload.0h5KnF/nbdkit0.sock", "file.export": "/" } (raw)
^C  (2.02/100%)

5. Don't set rhv-cafile and rhv-verifypeer in command line to convert a guest from VMware to rhv by virt-v2v, the v2v conversion can be finished without error and checkpoints of guest are passed
# virt-v2v -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1 -it vddk -io vddk-libdir=/home/vmware-vix-disklib-distrib -io vddk-thumbprint=1F:97:34:5F:B6:C2:BA:66:46:CB:1A:71:76:7D:6B:50:1E:03:00:EA -o rhv-upload  -oc https://ibm-x3250m5-03.rhts.eng.pek2.redhat.com/ovirt-engine/api -op /home/rhvpasswd  -b ovirtmgmt --password-file /home/passwd -of raw -oo rhv-cluster=Default -os nfs_data  esx6.7-rhel8.1-x86_64 
[   0.6] Opening the source -i libvirt -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1 esx6.7-rhel8.1-x86_64 -it vddk  -io vddk-libdir=/home/vmware-vix-disklib-distrib -io vddk-thumbprint=1F:97:34:5F:B6:C2:BA:66:46:CB:1A:71:76:7D:6B:50:1E:03:00:EA
[   2.6] Creating an overlay to protect the source from being modified
[   5.8] Opening the overlay
[  13.2] Inspecting the overlay
[  26.1] Checking for sufficient free disk space in the guest
[  26.1] Estimating space required on target for each disk
[  26.1] Converting Red Hat Enterprise Linux 8.1 Beta (Ootpa) to run on KVM
virt-v2v: warning: guest tools directory ‘linux/el8’ is missing from 
the virtio-win directory or ISO.

Guest tools are only provided in the RHV Guest Tools ISO, so this can 
happen if you are using the version of virtio-win which contains just the 
virtio drivers.  In this case only virtio drivers can be installed in the 
guest, and installation of Guest Tools will be skipped.
virt-v2v: This guest has virtio drivers installed.
[ 126.6] Mapping filesystem data to avoid copying unused and blank areas
[ 127.4] Closing the overlay
[ 127.7] Assigning disks to buses
[ 127.7] Checking if the guest needs BIOS or UEFI to boot
[ 127.7] Initializing the target -o rhv-upload -oc https://ibm-x3250m5-03.rhts.eng.pek2.redhat.com/ovirt-engine/api -op /home/rhvpasswd -os nfs_data
[ 128.9] Copying disk 1/1 to qemu URI json:{ "file.driver": "nbd", "file.path": "/var/tmp/rhvupload.gnZ3wR/nbdkit0.sock", "file.export": "/" } (raw)
    (100.00/100%)
[1297.2] Creating output metadata
[1298.7] Finishing off

6. Set wrong rhv-cafile and rhv-verifypeer=yes in command line to convert a guest from VMware to rhv by virt-v2v
# virt-v2v -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1 -it vddk -io vddk-libdir=/home/vmware-vix-disklib-distrib -io vddk-thumbprint=1F:97:34:5F:B6:C2:BA:66:46:CB:1A:71:76:7D:6B:50:1E:03:00:EA -o rhv-upload  -oc https://ibm-x3250m5-03.rhts.eng.pek2.redhat.com/ovirt-engine/api -op /home/rhvpasswd  -b ovirtmgmt --password-file /home/passwd -of raw -oo rhv-cluster=Default -os nfs_data  esx6.7-rhel8.1-x86_64  -oo rhv-verifypeer=true -oo rhv-cafile=/home/bad.pem
Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 381, in authenticate
    self._sso_token = self._get_access_token()
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 617, in _get_access_token
    sso_response = self._get_sso_response(self._sso_url, post_data)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 694, in _get_sso_response
    curl.perform()
pycurl.error: (77, 'error setting certificate verify locations:\n  CAfile: /home/bad.pem\n  CApath: none')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/var/tmp/v2v.3zKm2y/rhv-upload-precheck.py", line 67, in <module>
    case_sensitive=True,
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/services.py", line 5879, in list
    return self._internal_get(headers, query, wait)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/service.py", line 202, in _internal_get
    context = self._connection.send(request)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 370, in send
    return self.__send(request)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 388, in __send
    self.authenticate()
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 384, in authenticate
    self.__parse_error(e)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 932, in __parse_error
    six.reraise(clazz, clazz(error_msg), sys.exc_info()[2])
  File "/usr/lib/python3.6/site-packages/six.py", line 692, in reraise
    raise value.with_traceback(tb)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 381, in authenticate
    self._sso_token = self._get_access_token()
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 617, in _get_access_token
    sso_response = self._get_sso_response(self._sso_url, post_data)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 694, in _get_sso_response
    curl.perform()
ovirtsdk4.Error: Error while sending HTTP request: (77, 'error setting certificate verify locations:\n  CAfile: /home/bad.pem\n  CApath: none')
virt-v2v: error: failed server prechecks, see earlier errors

If reporting bugs, run virt-v2v with debugging enabled and include the 
complete output:

  virt-v2v -v -x [...]


7. Set wrong certificate in global trust store and rhv-verifypeer=yes in command line to convert a guest from VMware to rhv by virt-v2v
7.1 Set wrong certificate in global trust store
# cp /home/bad.pem /etc/pki/ca-trust/source/anchors/
# update-ca-trust extract

7.2# virt-v2v -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1 -it vddk -io vddk-libdir=/home/vmware-vix-disklib-distrib -io vddk-thumbprint=1F:97:34:5F:B6:C2:BA:66:46:CB:1A:71:76:7D:6B:50:1E:03:00:EA -o rhv-upload  -oc https://ibm-x3250m5-03.rhts.eng.pek2.redhat.com/ovirt-engine/api -op /home/rhvpasswd  -b ovirtmgmt --password-file /home/passwd -of raw -oo rhv-cluster=Default -os nfs_data  esx6.7-rhel8.1-x86_64  -oo rhv-verifypeer=true
Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 381, in authenticate
    self._sso_token = self._get_access_token()
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 617, in _get_access_token
    sso_response = self._get_sso_response(self._sso_url, post_data)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 694, in _get_sso_response
    curl.perform()
pycurl.error: (60, 'SSL certificate problem: self signed certificate in certificate chain')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/var/tmp/v2v.AiYfri/rhv-upload-precheck.py", line 67, in <module>
    case_sensitive=True,
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/services.py", line 5879, in list
    return self._internal_get(headers, query, wait)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/service.py", line 202, in _internal_get
    context = self._connection.send(request)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 370, in send
    return self.__send(request)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 388, in __send
    self.authenticate()
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 384, in authenticate
    self.__parse_error(e)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 932, in __parse_error
    six.reraise(clazz, clazz(error_msg), sys.exc_info()[2])
  File "/usr/lib/python3.6/site-packages/six.py", line 692, in reraise
    raise value.with_traceback(tb)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 381, in authenticate
    self._sso_token = self._get_access_token()
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 617, in _get_access_token
    sso_response = self._get_sso_response(self._sso_url, post_data)
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 694, in _get_sso_response
    curl.perform()
ovirtsdk4.Error: Error while sending HTTP request: (60, 'SSL certificate problem: self signed certificate in certificate chain')
virt-v2v: error: failed server prechecks, see earlier errors

If reporting bugs, run virt-v2v with debugging enabled and include the 
complete output:

  virt-v2v -v -x [...]

8.Set no-existing rhv-cafile and rhv-verifypeer=yes in command line to convert a guest from VMware to rhv by virt-v2v
# virt-v2v -ic vpx://root.73.141/data/10.73.75.219/?no_verify=1 -it vddk -io vddk-libdir=/home/vmware-vix-disklib-distrib -io vddk-thumbprint=1F:97:34:5F:B6:C2:BA:66:46:CB:1A:71:76:7D:6B:50:1E:03:00:EA -o rhv-upload  -oc https://ibm-x3250m5-03.rhts.eng.pek2.redhat.com/ovirt-engine/api -op /home/rhvpasswd  -b ovirtmgmt --password-file /home/passwd -of raw -oo rhv-cluster=Default -os nfs_data  esx6.7-rhel8.1-x86_64  -oo rhv-verifypeer=true -oo rhv-cafile=2334
Traceback (most recent call last):
  File "/var/tmp/v2v.T4mbtj/rhv-upload-precheck.py", line 59, in <module>
    insecure = params['insecure'],
  File "/usr/lib64/python3.6/site-packages/ovirtsdk4/__init__.py", line 307, in __init__
    raise Error('The CA file \'%s\' doesn\'t exist' % ca_file)
ovirtsdk4.Error: The CA file '2334' doesn't exist
virt-v2v: error: failed server prechecks, see earlier errors

If reporting bugs, run virt-v2v with debugging enabled and include the 
complete output:


Hi Pino,
   Could you please help to check the error info of step2 and step7.2, is it possible to hidden some error info and just report brief ovirtsdk4 error about can't find correct certificate in global trust store? According to virt-v2v-output-rhv man page, v2v will try to find system’s global if rhv-cafile option is not used when rhv-verifypeer is true, so I think v2v should remind customer to set certificate in global trust store.

Comment 9 Pino Toscano 2020-02-25 17:39:30 UTC

Thanks for the extensive testing!

> Could you please help to check the error info of step2 and step7.2

- step 2 is correct: since the certificate is self-signed, it cannot be verified using the root CAs (certification authorities)

- step 7.2 is correct: bad.pem will not match the actual certificate of the RHV host, so in the end it becomes like step 2

> is it possible to hidden some error info and just report brief ovirtsdk4 error about can't find correct certificate in global trust store?

This is hard to do, because the "chain of interaction" is: nbdkit plugin -> oVirt Python API -> Python cURL -> cURL.
Even if we accessed the Python cURL exception (which means relying on the internals of the oVirt Python API), the error codes that we get seem that are not enough to detect this situation.

You can check in the tracebacks above the actual cURL error code -- for example:
  pycurl.error: (77, 'error setting certificate verify locations:\n  CAfile: /home/bad.pem\n  CApath: none')
       error code ^   |
       error message--/

The cURL error codes are described in the curl(1) man page, "EXIT CODES" section (available also online: https://curl.haxx.se/docs/manpage.html ).

> According to virt-v2v-output-rhv man page, v2v will try to find system’s global if rhv-cafile option is not used when rhv-verifypeer is true, so I think v2v should remind customer to set certificate in global trust store.

As the outputs show, it is not easy to detect when the certificate was in the system store or not. Considering that there is the documentation bit, and that the conversions to RHV are mostly driver by RHV itself or IMS, then I would say that people manually using virt-v2v for this should really know what they are doing.

Comment 10 mxie@redhat.com 2020-02-26 08:18:15 UTC

Thanks Pino for the quick reply, according to comment8 and comment9, move the bug from ON_QA to VERIFIED

Comment 12 errata-xmlrpc 2020-05-05 09:55:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2017

Note You need to log in before you can comment on or make changes to this bug.