rhevm-shell with commercial SSL certificate

Latest response

I have switched RHEV-M to use a commercial SSL certificate by editing /etc/httpd/conf.d/ssl.conf.

When I tried to use rhevm-shell, the connection failed:

[root@desktop certs]# rhevm-shell -c -l https://desktop.example.com/api -A /etc/pki/ovirt-engine/desktop_example_com.ca-bundle
Username: admin@internal
Password:
error: [ERROR]::Connection failure, [Errno 1] _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

rhevm-shell is able to connect if I download a CA Cert file from curl.haxx.se and use that as the CA_FILE.

[root@desktop tmp]# curl -O http://curl.haxx.se/ca/cacert.pem
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  245k  100  245k    0     0   307k      0 --:--:-- --:--:-- --:--:--  350k

[root@desktop tmp]# rhevm-shell -c -l https://desktop.example.com/api -A ./cacert.pem 
Username: admin@internal
Password: 

 ==========================================
 >>> connected to RHEVM manager 3.1.0.0 <<<
 ==========================================


        
 ++++++++++++++++++++++++++++++++++++++++++
 
           Welcome to RHEVM shell
 
 ++++++++++++++++++++++++++++++++++++++++++
        
    
[RHEVM shell (connected)]# 

Responses

The easiest workaround wound be to use -I and ignore the certificate, but are you sure the certificate pair you have is valid? If it is, you should not be seeing the "SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" error

I am sure that the certificate is valid.  We've been using it with Firefox and IE for a while.

/etc/pki/tls/certs/ca-bundle.crt also works as a CA_FILE. 

Perhaps the CA_FILE has to provide a certificate for a root CA for it to work.  The ca-bundle file provided by the issuer of our certificate contains only one certificate for an intermediate CA.

Generally speaking, the cert validation should work as long as the Subject in the host certificate matches the way you access it