Use nil ca_certs to trust system CAs #63
Conversation
|
@masayag @borod108 @pkliczewski please review. |
|
Why are the CA's loaded only once when using the ovirt-engine-sdk? |
|
Because the |
|
Note that this applies only to the system trusted certificates, not to the certificates passed in the |
Currently when the user sets the TLS certification validation switch to
"Yes" and does not provide a custom CA certificate, the provider doesn't
trust the system CA certificates, it trust no certificates at all
instead. This isn't the intended behaviour. To address that issue this
patch changes the provider so that it sets the 'ca_certs' parameter to
'nil' in this case. That 'nil' value indicates to both the 'ovirt' and
'ovirt-engine-sdk' gems that the system CA certificates should be
trusted.
Note that when using version 4 of the API and the 'ovirt-engine-sdk'
gem, the system CA certificates are loaded only once, when the gem is
loaded. If any CA certificate is added to the system, then the affected
ManageIQ workers will need to be reloaded. The affected workers are all
the provider workers and the UI worker. It may be more convenient to
just restart the appliances.
The complete sequence to verify this is the following:
1. Get the CA certificate used by the oVirt system. If it is a
self-signed certificate it will be available in the 'ca.pem' file
inside the '/etc/pki/ovirt-engine' directory:
# scp ovirt.example.com:/etc/pki/ovirt-engine/ca.pem .
2. Add the CA certificate to the directory containing the CA
certificates that are added to the system database:
# cp ca.pem /etc/pki/ca-trust/source/anchors/ovirt.example.com.pem
3. Update the system database:
# udpate-ca-trust
4. At this point the database is updated, but it won't be reloaded if
using version 4 of the API and the 'ovirt-engine-sdk' gem, so restart
the appliance.
5. Check that the authentication verification works setting TLS
certificate validation to 'Yes', but without pasting any certificate
in the text box for trusted CA certificates.
By default the provider uses version 3 of the API, make check this with
version 3 of the API and also with version 4, changing the settings to
do so:
:ems:
:ems_redhat:
:use_ovirt_engine_sdk: true
This patch addresses the following bug:
RHV provider does not trust certificate authorities from the system CA database
https://bugzilla.redhat.com/1459569
Signed-off-by: Juan Hernandez <[email protected]>
|
Checked commit https://github.com/jhernand/manageiq-providers-ovirt/commit/481f70ff8d17fb65960b16aef614bcb0c075a946 with ruby 2.2.6, rubocop 0.47.1, and haml-lint 0.20.0 |
|
@miq-bot add_label fine/yes |
|
Fine backport (to manageiq repo) details: |
Currently when the user sets the TLS certification validation switch to
"Yes" and does not provide a custom CA certificate, the provider doesn't
trust the system CA certificates, it trust no certificates at all
instead. This isn't the intended behaviour. To address that issue this
patch changes the provider so that it sets the 'ca_certs' parameter to
'nil' in this case. That 'nil' value indicates to both the 'ovirt' and
'ovirt-engine-sdk' gems that the system CA certificates should be
trusted.
Note that when using version 4 of the API and the 'ovirt-engine-sdk'
gem, the system CA certificates are loaded only once, when the gem is
loaded. If any CA certificate is added to the system, then the affected
ManageIQ workers will need to be reloaded. The affected workers are all
the provider workers and the UI worker. It may be more convenient to
just restart the appliances.
The complete sequence to verify this is the following:
self-signed certificate it will be available in the 'ca.pem' file
inside the '/etc/pki/ovirt-engine' directory:
certificates that are added to the system database:
At this point the database is updated, but it won't be reloaded if
using version 4 of the API and the 'ovirt-engine-sdk' gem, so restart
the appliance.
Check that the authentication verification works setting TLS
certificate validation to 'Yes', but without pasting any certificate
in the text box for trusted CA certificates.
By default the provider uses version 3 of the API, make check this with
version 3 of the API and also with version 4, changing the settings to
do so:
This patch addresses the following bug:
RHV provider does not trust certificate authorities from the system CA database
https://bugzilla.redhat.com/1459569