Merge "Revert "Point InternalTLSVncCAFile to /etc/ipa/ca.crt"" into stable/stein
This commit is contained in:
commit
99e0eed40a
|
@ -102,7 +102,7 @@ parameters:
|
|||
type: string
|
||||
description: Specifies the CA cert to use for NBD TLS.
|
||||
InternalTLSVncCAFile:
|
||||
default: '/etc/ipa/ca.crt'
|
||||
default: '/etc/pki/CA/certs/vnc.crt'
|
||||
type: string
|
||||
description: Specifies the CA cert to use for VNC TLS.
|
||||
InternalTLSQemuCAFile:
|
||||
|
|
|
@ -51,7 +51,7 @@ parameters:
|
|||
enable TLS transaport for libvirt VNC and configure the
|
||||
relevant keys for libvirt.
|
||||
InternalTLSVncCAFile:
|
||||
default: '/etc/ipa/ca.crt'
|
||||
default: '/etc/pki/CA/certs/vnc.crt'
|
||||
type: string
|
||||
description: Specifies the CA cert to use for VNC TLS.
|
||||
LibvirtVncCACert:
|
||||
|
|
|
@ -1,10 +0,0 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
In case the freeipa CA is a sub CA of an external CA the InternalTLSVncCAFile
|
||||
requrested does not have the full CA chain and only have the free IPA
|
||||
CA. As a result qemu which can not verify the vnc certificate sent by
|
||||
the vnc-proxy. The issue is in certmonger as it does not return the full
|
||||
CA chain.
|
||||
As a workaround, until certmonger is fixed, this change points the
|
||||
InternalTLSVncCAFile to /etc/ipa/ca.crt which has the full CA chain.
|
Loading…
Reference in New Issue