Foreman and Satellite 6 does use special oVirt/RHEV URL /ca.crt to
retrieve the server CA certificate. I think our users can't override the
cert as the CA cert text box is read only.
Unfortunately, it turns out that this URL always returns the server
certificate which is by default self-signed (therefore it's CA for
itself). So it works…
…until you configure your oVirt/RHEV with separate CA (in other words
you configure it for production), this URL still returns server's
certificate and not the CA.
Unfortunately, this is hardcoded in the Java application, so Apache2
httpd must be "hacked" to return the proper CA file.
I filed a BZ for this, but I am not sure if oVirt folks are changing
this. It looks like this is not "official feature", folks perhaps use
this for testing. But we use this and I'd like to use this in oVirt
integration testing too (I need to download the CA anyway). In the BZ, I
recommend to change the behavior and introduce two URLs:
/server.crt - server certificate
/ca.crt - CA certificate (by default a symlink to server.crt)
configure Apache2 httpd to return these (instead proxying this)
Having this documented properly, users should be able to easily switch
to properly signed server cert with Foreman/Satellite 6 integration too.
> Hello,
>
> Foreman and Satellite 6 does use special oVirt/RHEV URL /ca.crt to
> retrieve the server CA certificate. I think our users can't override the
> cert as the CA cert text box is read only.
>
> Unfortunately, it turns out that this URL always returns the server
> certificate which is by default self-signed (therefore it's CA for
> itself). So it works…
>
> …until you configure your oVirt/RHEV with separate CA (in other words
> you configure it for production), this URL still returns server's
> certificate and not the CA.
>
> Unfortunately, this is hardcoded in the Java application, so Apache2
> httpd must be "hacked" to return the proper CA file.
>
> I filed a BZ for this, but I am not sure if oVirt folks are changing
> this. It looks like this is not "official feature", folks perhaps use
> this for testing. But we use this and I'd like to use this in oVirt
> integration testing too (I need to download the CA anyway). In the BZ, I
> recommend to change the behavior and introduce two URLs:
>
> - /server.crt - server certificate
> - /ca.crt - CA certificate (by default a symlink to server.crt)
> - configure Apache2 httpd to return these (instead proxying this)
>
> Having this documented properly, users should be able to easily switch
> to properly signed server cert with Foreman/Satellite 6 integration too.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1125933
>
> In the BZ you can find the workaround via Apache2 configuration.
>
> I am posting this to the list because you (or our users) can soon hit
> this issue.
Thanks for update.
I've already hit this, installing the CA on the sat6 server did the trick
for me.
Also, I was a bit surprised that in the UI, the CA cert field was read-only.
Can't you just connect over https and if httpd serves the full chain,
you can take the CA from there. May require using some SSL library
though.
···
On Fri, Aug 01, 2014 at 01:57:07PM +0200, Lukas Zapletal wrote:
> Foreman and Satellite 6 does use special oVirt/RHEV URL /ca.crt to
> retrieve the server CA certificate. I think our users can't override the
> cert as the CA cert text box is read only.
>
> Unfortunately, it turns out that this URL always returns the server
> certificate which is by default self-signed (therefore it's CA for
> itself). So it works...
>
> ...until you configure your oVirt/RHEV with separate CA (in other words
> you configure it for production), this URL still returns server's
> certificate and not the CA.
> > Also, I was a bit surprised that in the UI, the CA cert field was
> read-only.
>
> Yeah, I think it should not be read-only too.
>
> Opinions?
>
changing it to RW + checkbox to ensure you want to override it sounds sane
to me. the other alternative requires changing ovirt published ca's, which
i guess would be harder for a foreman admin to do?
Ohad
···
On Fri, Aug 1, 2014 at 8:43 PM, Lukas Zapletal wrote:
> changing it to RW + checkbox to ensure you want to override it sounds sane
> to me. the other alternative requires changing ovirt published ca's, which
> i guess would be harder for a foreman admin to do?
Yeah, thank. I guess the change on the RHEV side is too hacky. I raised
RFE, let's see what they can do. But we need this for older versions
anyway.
