Our RHEV manager is behind a firewall & so from Foreman server we opened up port 443 for mnagement through the API & 5900-6011 for console access.

Things didn't work, connection timed out. I narrowed it down to some code in app/models/compute_resources/foreman/model/ovirt.rb, lines 218ff:

def cacert
ca_url = URI.parse(url)
ca_url.path = "/ca.crt"
ca_url.scheme = "http"
ca_url.port = 8080 if ca_url.port 8443
ca_url.port = 80 if ca_url.port 443
Net::HTTP.get(ca_url).to_s
end

It's fetching the (normally) self-signed CA certificate over an unencrypted channel & later on using this to validate the SSL connection. This is in effect no different to connecting directly over SSL & disabling certificate verification, but it does mean that port 80 or 8080 needs to be opened up as well which there seems no need to do.

I see 2 options:

1. Connect over SSL to retrieve the CA certificate, but disable certificate verification.
2. Retrieve & store the CA certificate only when the compute resource is added & display a warning to user around connecting to insecure site.

I prefer 2, but this is more work to implement. I have already written the trivial patch for 1 & will submit a pull request for this soon.

Thanks,
Jimmi