[RENAME] openssl qemu-ca conf files not handled well
mwperina opened this issue · 0 comments
Description of problem:
ovirt-engine-rename changes /etc/pki/ovirt-engine/qemu-cert.template to point at 'resource=ca-certificate' instead of keeping 'resource=qemu-ca-certificate'.
This is caused by the fix for bug 1875386.
Before bug 1875386, ovirt-engine-rename didn't change qemu-cert.template at all - it also didn't change the hostname to be the new name.
Also, it does not update /etc/pki/ovirt-engine/qemu-cert.conf at all, keeping it pointing at the old name. This was missed in the fix for bug 1875386.
Version-Release number of selected component (if applicable):
4.4.4.1
How reproducible:
Always
Steps to Reproduce:
- Install and setup an engine with some FQDN
- Run ovirt-engine-rename
- grep authorityInfoAccess /etc/pki/ovirt-engine/qemu-cert.{conf,template}
Actual results:
qemu-cert.template points at:
caIssuers;URI:http://$NEW_FQDN:80/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
qemu-cert.conf points at:
caIssuers;URI:http://$OLD_FQDN:80/ovirt-engine/services/pki-resource?resource=qemu-ca-certificate&format=X509-PEM-CA
Expected results:
Both point at:
caIssuers;URI:http://$NEW_FQDN:80/ovirt-engine/services/pki-resource?resource=qemu-ca-certificate&format=X509-PEM-CA
Additional info:
Not sure how this affects use of certificates generated with the wrong conf. If it causes a problem, it should be fixed by reenrolling certificates for the host, after the engine is updated to a version that contains a fix to current bug.