Bug 995950 - rhevm-log-collector fails with "certificate verify failed", when RHEV-M is configured to use commercial certificates
rhevm-log-collector fails with "certificate verify failed", when RHEV-M is co...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-log-collector (Show other bugs)
3.2.0
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Sandro Bonazzola
Pavel Stehlik
integration
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-12 00:37 EDT by Aval
Modified: 2015-07-01 11:00 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-14 07:17:32 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Aval 2013-08-12 00:37:34 EDT
Description of problem:

Customer has configured RHEV-M to use commercial certificates, encounters SSL problem when running rhevm-log-collector.

[root@rhevm ovirt-engine]# rhevm-log-collector list
Please provide the REST API password for the admin@internal oVirt Engine user (CTRL+D to skip): 
ERROR: Problem connecting to the REST API.Is the service available and does the CA certificate exist?
ERROR: _get_hypervisors_from_api: [ERROR]::oVirt API connection failure, [Errno 1] _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
INFO: No hypervisors were found, therefore no hypervisor data will be listed.

Version-Release number of selected component (if applicable):

RHEV-M 3.2

How reproducible:


Steps to Reproduce:
1.Configure commercial certificates for RHEV-M
2.run rhevm-log-collector
3.

Actual results:

Fails in SSL handshake.

Expected results:

Should collect logs.

Additional info:

How ever we can use commercial CA certificate using 

# rhevm-log-collector --cert-file=<COMMERCIAL-CA_FILE>  list

If this desired way to use , it is not documented nor the error messages hint towards the problem.
Comment 1 Aval 2013-08-12 00:45:32 EDT
rhevm-log-collector uses default CA as "/etc/pki/ovirt-engine/ca.pem" which is internal or self-signed CA file. If RHEV-M is configured to use commercial certificates certificate verification during SSL handshake will fail.
Comment 2 Sandro Bonazzola 2013-08-14 07:17:32 EDT
Hi, if you change the CA using a file that is not /etc/pki/ovirt-engine/ca.pem you must change also:
 - /etc/ovirt-engine/imageuploader.conf
 - /etc/ovirt-engine/logcollector.conf
 - /etc/ovirt-engine/isouploader.conf

for using the new certificate or specify it by command line.

You can avoid to change configuration files using the same filename.
This is not a bug, it is like this by design.
Comment 3 Aval 2013-08-14 21:07:56 EDT
(In reply to Sandro Bonazzola from comment #2)
> Hi, if you change the CA using a file that is not
> /etc/pki/ovirt-engine/ca.pem you must change also:
>  - /etc/ovirt-engine/imageuploader.conf
>  - /etc/ovirt-engine/logcollector.conf
>  - /etc/ovirt-engine/isouploader.conf
> 
> for using the new certificate or specify it by command line.
> 
> You can avoid to change configuration files using the same filename.
> This is not a bug, it is like this by design.

Thanks, just to clarify that the exact key-value pair for new CA file that is required to be added in /etc/ovirt-engine/logcollector.conf should be like :

cert-file=/path/to/new/CA/file
Comment 4 Sandro Bonazzola 2013-08-16 11:07:13 EDT
(In reply to Aval from comment #3)

> Thanks, just to clarify that the exact key-value pair for new CA file that
> is required to be added in /etc/ovirt-engine/logcollector.conf should be
> like :
> 
> cert-file=/path/to/new/CA/file

confirmed, it should be like that.

Note You need to log in before you can comment on or make changes to this bug.