Imageio added option to configure CA file for backend HTTP in release 2.0.10-1. This is needed in case used wants to use own PKI files for engine, see BZ #1862107 for more details. Configure this option in engine's imageio config (/etc/ovirt-imageio/conf.d/50-engine.conf) and set it to default engine CA.
Fixing milestone, this is included in ovirt 4.4.2, and there is no reason to wait for ovirt 4.4.3 for it.
Hi Vojtech, did you mean 'set it to apache CA' instead of 'set it to default engine CA' ? Or should be there the engine CA (/etc/pki/ovirt-engine/ca.pem) Thank you, Petr
> did you mean 'set it to apache CA' instead of 'set it to default engine CA' ? > Or should be there the engine CA (/etc/pki/ovirt-engine/ca.pem) no, default engine CA is apache CA (right now, but it can change), so by default it should point to apache CA
According to comments in code. It looks like that the value should point to Engine certificate which is not changed during using 3rd party certificates In configuration I see [backend_http] # CA file used by HTTP backend client to verify imageio server certificate. # Do not change, oVirt host pki setup is based on this CA. ca_file = /etc/pki/ovirt-engine/ca.pem Downloading and uploading images when using 3rd party certificates works as expected. Verified in # rpm -qa | grep ovirt-imageio ovirt-imageio-common-2.0.10-1.el8ev.x86_64 ovirt-imageio-daemon-2.0.10-1.el8ev.x86_64
This bugzilla is included in oVirt 4.4.2 release, published on September 17th 2020. Since the problem described in this bug report should be resolved in oVirt 4.4.2 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.