Red Hat Bugzilla – Bug 995950
rhevm-log-collector fails with "certificate verify failed", when RHEV-M is configured to use commercial certificates
Last modified: 2015-07-01 11:00:38 EDT
Description of problem:
Customer has configured RHEV-M to use commercial certificates, encounters SSL problem when running rhevm-log-collector.
[root@rhevm ovirt-engine]# rhevm-log-collector list
Please provide the REST API password for the admin@internal oVirt Engine user (CTRL+D to skip):
ERROR: Problem connecting to the REST API.Is the service available and does the CA certificate exist?
ERROR: _get_hypervisors_from_api: [ERROR]::oVirt API connection failure, [Errno 1] _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
INFO: No hypervisors were found, therefore no hypervisor data will be listed.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Configure commercial certificates for RHEV-M
Fails in SSL handshake.
Should collect logs.
How ever we can use commercial CA certificate using
# rhevm-log-collector --cert-file=<COMMERCIAL-CA_FILE> list
If this desired way to use , it is not documented nor the error messages hint towards the problem.
rhevm-log-collector uses default CA as "/etc/pki/ovirt-engine/ca.pem" which is internal or self-signed CA file. If RHEV-M is configured to use commercial certificates certificate verification during SSL handshake will fail.
Hi, if you change the CA using a file that is not /etc/pki/ovirt-engine/ca.pem you must change also:
for using the new certificate or specify it by command line.
You can avoid to change configuration files using the same filename.
This is not a bug, it is like this by design.
(In reply to Sandro Bonazzola from comment #2)
> Hi, if you change the CA using a file that is not
> /etc/pki/ovirt-engine/ca.pem you must change also:
> - /etc/ovirt-engine/imageuploader.conf
> - /etc/ovirt-engine/logcollector.conf
> - /etc/ovirt-engine/isouploader.conf
> for using the new certificate or specify it by command line.
> You can avoid to change configuration files using the same filename.
> This is not a bug, it is like this by design.
Thanks, just to clarify that the exact key-value pair for new CA file that is required to be added in /etc/ovirt-engine/logcollector.conf should be like :
(In reply to Aval from comment #3)
> Thanks, just to clarify that the exact key-value pair for new CA file that
> is required to be added in /etc/ovirt-engine/logcollector.conf should be
> like :
confirmed, it should be like that.