Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1360644 - 'Appendix D. Red Hat Virtualization and SSL' needs clarification
Summary: 'Appendix D. Red Hat Virtualization and SSL' needs clarification
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: Documentation
Version: 4.0.2
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: ---
Assignee: rhev-docs@redhat.com
QA Contact: rhev-docs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-27 08:47 UTC by Jiri Belka
Modified: 2017-03-15 08:18 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-15 08:18:06 UTC
oVirt Team: Integration


Attachments (Terms of Use)

Description Jiri Belka 2016-07-27 08:47:46 UTC
Description of problem:

I'm not 100 % sure but custom "certificate-key bundle in the P12 format" including signed cert, key and CA file should have a password known by engine, ie. it should be ENGINE_PKI_TRUST_STORE_PASSWORD value defined in /etc/ovirt-engine/engine.conf.d/10-setup-pki.conf

otherwise it engine-setup won't be able to extract it.

          --== PKI CONFIGURATION ==--
         
[WARNING] Failed to read or parse '/etc/pki/ovirt-engine/keys/apache.p12'
          Perhaps it was changed since last Setup.
          Error was:
          Mac verify error: invalid password?
         


I repacked my certificate-key bundle with known password and engine-setup passed without any comment in pki section.

Version-Release number of selected component (if applicable):
rhevm-doc-4.0.0-3.el7ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. make own CA
2. make httpd signed cert
3. create certificate-key p12 bundle with different password than ENGINE_PKI_TRUST_STORE_PASSWORD value defined in /etc/ovirt-engine/engine.conf.d/10-setup-pki.conf
4. follow $engine_url/ovirt-engine/docs/manual/en_US/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html
5. engine-setup

Actual results:
engine-setup complains about extract of apache.p12 in pki section

Expected results:
the admin should be informed in docs about need to have p12 bundle password protested with a password known to engine-setup (see above)

Additional info:

My steps for own ca and engine httpd cert kung-fu:

* vi /etc/pki/tls/openssl.cnf # change 'certificate', 'crl', 'private_key',
    'countryName_default', 'stateOrProvinceName_default',
    'localityName_default', '0.organizationName_default'
* touch /etc/pki/CA/index.txt
*echo 01 > /etc/pki/CA/serial
* cd /etc/pki/CA
* (umask 077 ; openssl genrsa -out private/my-ca.key -des3 2048 )
* openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt

* openssl genrsa -out my-engine.key 4096
* openssl req -new -out my-engine.csr -key my-engine.key
* openssl ca -in my-engine.csr -out my-engine.crt
* openssl pkcs12 -export -out my-engine.p12 -inkey my-engine.key -in my-engine.crt -chain -CAfile /etc/pki/CA/my-ca.crt # p12 bundle pass

if one needs to re-create p12 bundle one can use commands from $engine_url/ovirt-engine/docs/manual/en_US/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html and create it again with right password as described above (-export)

Comment 1 Jiri Belka 2016-07-27 08:49:17 UTC
Martin, could you confirm my "concern"?

Comment 2 Martin Perina 2016-08-15 09:08:08 UTC
(In reply to Jiri Belka from comment #0)
> Description of problem:
> 
> I'm not 100 % sure but custom "certificate-key bundle in the P12 format"
> including signed cert, key and CA file should have a password known by
> engine, ie. it should be ENGINE_PKI_TRUST_STORE_PASSWORD value defined in
> /etc/ovirt-engine/engine.conf.d/10-setup-pki.conf

No, ENGINE_PKI_TRUST_STORE_PASSWORD stores password for ENGINE_PKI_TRUST_STORE (which contains by default /etc/pki/ovirt-engine/.truststore), AFAIK we don't store password for apache.p12 with custom certificate, engine-setup should ask for it every time it needs to access it. Didi, am I right?

Comment 3 Yedidyah Bar David 2016-08-15 09:35:12 UTC
(In reply to Martin Perina from comment #2)
> (In reply to Jiri Belka from comment #0)
> > Description of problem:
> > 
> > I'm not 100 % sure but custom "certificate-key bundle in the P12 format"
> > including signed cert, key and CA file should have a password known by
> > engine, ie. it should be ENGINE_PKI_TRUST_STORE_PASSWORD value defined in
> > /etc/ovirt-engine/engine.conf.d/10-setup-pki.conf
> 
> No, ENGINE_PKI_TRUST_STORE_PASSWORD stores password for
> ENGINE_PKI_TRUST_STORE (which contains by default
> /etc/pki/ovirt-engine/.truststore), AFAIK we don't store password for
> apache.p12 with custom certificate, engine-setup should ask for it every
> time it needs to access it. Didi, am I right?

engine-setup uses DEFAULT_PKI_STORE_PASS = 'mypass' by default.

If you want to use something else you might be able to do that by adding to /etc/ovirt-engine-setup.conf.d/ a file e.g. my-pass.conf with:
[environment:default]
OVESETUP_PKI/storePassword=str:topsecret

Didn't try that myself.

Note that this isn't in /etc/ovirt-engine/engine.conf.d. IIRC engine-setup does not use the conf there for the store passwords.

Comment 4 Yedidyah Bar David 2016-08-15 09:38:31 UTC
(In reply to Yedidyah Bar David from comment #3)
> (In reply to Martin Perina from comment #2)
> > (In reply to Jiri Belka from comment #0)
> > > Description of problem:
> > > 
> > > I'm not 100 % sure but custom "certificate-key bundle in the P12 format"
> > > including signed cert, key and CA file should have a password known by
> > > engine, ie. it should be ENGINE_PKI_TRUST_STORE_PASSWORD value defined in
> > > /etc/ovirt-engine/engine.conf.d/10-setup-pki.conf
> > 
> > No, ENGINE_PKI_TRUST_STORE_PASSWORD stores password for
> > ENGINE_PKI_TRUST_STORE (which contains by default
> > /etc/pki/ovirt-engine/.truststore), AFAIK we don't store password for
> > apache.p12 with custom certificate, engine-setup should ask for it every
> > time it needs to access it. Didi, am I right?
> 
> engine-setup uses DEFAULT_PKI_STORE_PASS = 'mypass' by default.
> 
> If you want to use something else you might be able to do that by adding to
> /etc/ovirt-engine-setup.conf.d/ a file e.g. my-pass.conf with:
> [environment:default]
> OVESETUP_PKI/storePassword=str:topsecret
> 
> Didn't try that myself.
> 
> Note that this isn't in /etc/ovirt-engine/engine.conf.d. IIRC engine-setup
> does not use the conf there for the store passwords.

BTW, not sure engine-setup even needs that. IIRC it only does stuff, if at all, with the cert (=public key), which is not encrypted.

Comment 5 Yaniv Lavi 2017-02-07 07:36:23 UTC
Can you please clarify exactly what changes are needed in the docs?
The summary and description do not state the changes required.

Comment 6 Yedidyah Bar David 2017-02-14 08:55:50 UTC
(In reply to Jiri Belka from comment #0)
> Description of problem:
> 
> I'm not 100 % sure but custom "certificate-key bundle in the P12 format"
> including signed cert, key and CA file should have a password known by
> engine, ie. it should be ENGINE_PKI_TRUST_STORE_PASSWORD value defined in
> /etc/ovirt-engine/engine.conf.d/10-setup-pki.conf

The docs were likely written for an older version, where engine-setup did not look at all at this file, and not updated since.

In 3.5.4/3.6.0, we made it check these files, to see if certs need to be renewed. See bug 1214860.

At the time, using a 3rd party CA (and custom passphrase) failed engine-setup.

In 3.5.7/3.6.2 we fixed this, see bug 1260752.

Since then, it's just a warning. If indeed this happens because it's using a different passphrase, but everything else works, it can be ignored. It's obviously up to the user to make sure the cert is renewed on time, when using a 3rd party CA.

So:

If you think there is a bug in the code, please state what it is, and attach setup logs.

If you think there is a bug in the docs, please state what it is. Did you try to follow the docs and hit a real problem?

Otherwise, I think we can close notabug, or update the docs to say that this flow can emit the above warning, which can be safely ignored.

Comment 7 Jiri Belka 2017-03-14 09:01:27 UTC
Please read comments and check docs if there's an area for improvement if necessary. If not, feel free to close this BZ. Thanks.


Note You need to log in before you can comment on or make changes to this bug.