Merge "Revert "Point InternalTLSVncCAFile to /etc/ipa/ca.crt"" into stable/stein

This commit is contained in:
Zuul 2019-08-21 01:03:22 +00:00 committed by Gerrit Code Review
commit 99e0eed40a
3 changed files with 2 additions and 12 deletions

View File

@ -102,7 +102,7 @@ parameters:
type: string
description: Specifies the CA cert to use for NBD TLS.
InternalTLSVncCAFile:
default: '/etc/ipa/ca.crt'
default: '/etc/pki/CA/certs/vnc.crt'
type: string
description: Specifies the CA cert to use for VNC TLS.
InternalTLSQemuCAFile:

View File

@ -51,7 +51,7 @@ parameters:
enable TLS transaport for libvirt VNC and configure the
relevant keys for libvirt.
InternalTLSVncCAFile:
default: '/etc/ipa/ca.crt'
default: '/etc/pki/CA/certs/vnc.crt'
type: string
description: Specifies the CA cert to use for VNC TLS.
LibvirtVncCACert:

View File

@ -1,10 +0,0 @@
---
fixes:
- |
In case the freeipa CA is a sub CA of an external CA the InternalTLSVncCAFile
requrested does not have the full CA chain and only have the free IPA
CA. As a result qemu which can not verify the vnc certificate sent by
the vnc-proxy. The issue is in certmonger as it does not return the full
CA chain.
As a workaround, until certmonger is fixed, this change points the
InternalTLSVncCAFile to /etc/ipa/ca.crt which has the full CA chain.