Project

General

Profile

Actions

Bug #3896

closed

OVirt console connection fails

Added by Jimmi Dyson over 10 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Compute resources
Target version:
Difficulty:
easy
Triaged:
Fixed in Releases:
Found in Releases:

Description

Our RHEV manager is behind a firewall & so from Foreman server we opened up port 443 for mnagement through the API & 5900-6011 for console access.

Things didn't work, connection timed out. I narrowed it down to some code in app/models/compute_resources/foreman/model/ovirt.rb, lines 218ff:

def cacert
ca_url = URI.parse(url)
ca_url.path = "/ca.crt"
ca_url.scheme = "http"
ca_url.port = 8080 if ca_url.port 8443
ca_url.port = 80 if ca_url.port 443
Net::HTTP.get(ca_url).to_s
end

It's fetching the (normally) self-signed CA certificate over an unencrypted channel & later on using this to validate the SSL connection. This is in effect no different to connecting directly over SSL & disabling certificate verification, but it does mean that port 80 or 8080 needs to be opened up as well which there seems no need to do.

I see 2 options:

1. Connect over SSL to retrieve the CA certificate, but disable certificate verification.
2. Retrieve & store the CA certificate only when the compute resource is added & display a warning to user around connecting to insecure site.

I prefer 2, but this is more work to implement. I have already written the trivial patch for 1 & will submit a pull request for this soon.

Thanks,
Jimmi

Actions #1

Updated by Dominic Cleal over 10 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Jimmi Dyson
  • Target version set to 1.9.3
Actions #2

Updated by Anonymous about 10 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions #3

Updated by Dominic Cleal about 10 years ago

  • translation missing: en.field_release set to 2
Actions

Also available in: Atom PDF