Bug 1817346
| Summary: | [UI] SHA1 fingerprint shown to the user for approval | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Juan Orti Alcaine <jortialc> |
| Component: | ovirt-engine | Assignee: | eraviv |
| Status: | CLOSED ERRATA | QA Contact: | Michael Burman <mburman> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 4.3.8 | CC: | amusil, dfodor, mburman, michal.skrivanek, mperina, sgratch |
| Target Milestone: | ovirt-4.4.7 | ||
| Target Release: | 4.4.7 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ovirt-engine-4.4.7.2 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-07-22 15:12:18 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Network | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This seems related to Networking so re-assigning Let's show the fingerprint and the algorithm of the certificate. Verified on - rhvm-4.4.7.3-0.3.el8ev.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: RHV Manager (ovirt-engine) security update [ovirt-4.4.7]), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2865 |
Description of problem: When testing the connection to ovirt-provider-ovn, the SHA1 fingerprint of the CA certificate is shown to the user for approval, although all the certificates are signed with SHA256 Version-Release number of selected component (if applicable): ovirt-engine-4.3.8.2-0.4.el7.noarch ovirt-web-ui-1.6.0-2.el7ev.noarch How reproducible: Steps to Reproduce: 1. Deploy new RHV 4.3.8 HostedEngine with ovirt-provider-ovn 2. Check that all certs are SHA256: #!/bin/bash names="engine apache websocket-proxy jboss imageio-proxy ovirt-provider-ovn" for name in $names; do echo "### $name" openssl x509 -in /etc/pki/ovirt-engine/certs/"${name}".cer -text -noout | grep -i "Signature Algorithm" done echo "### CA" openssl x509 -in /etc/pki/ovirt-engine/ca.pem -text -noout | grep -i "Signature Algorithm" echo "### Apache CA" openssl x509 -in /etc/pki/ovirt-engine/apache-ca.pem -text -noout | grep -i "Signature Algorithm" echo "### Trust store" LANG=C keytool -list -keystore /etc/pki/ovirt-engine/.truststore -v | grep -i "Signature Algorithm" #(password: mypass) echo "### External trust store" LANG=C keytool -list -keystore /var/lib/ovirt-engine/external_truststore -v | grep -i "Signature Algorithm" #(password: changeit) 3. In RHV-M, go to Administration -> Providers -> ovirt-provider-ovn -> Edit -> Test button Actual results: The SHA1 of the CA cert is shown to the user for approval. Expected results: As the SHA1 algorithm is being deprecated, it makes sense not to use it anywhere. Additional info: