[ovirt-users] Problem with restoring engine

[Andreas Elvers]

Hello today I tried to migrate the hosted engine from our Default Datacenter 
(NFS) to our Ceph Datacenter. The deployment worked with the automatic  
"hosted-engine --deploy --restore-from-file=backup/file_name" command. Perfect.

Only thing is: I messed up with the cluster name. The name should be Luise01 
but I entered Luise1. Duh...

Now I want to bring the engine back to the Default Datacenter. Easy thing. Just 
repeat the same steps again.

1. Enable global ha maintenenace
2. Stop and disable the engine
3. create the engine backup
4 ... continue with all the steps from chapter 13.1.8 RHEV Docs 4.3 Beta.

Everything looked great. The ansible playbook was running, then asking for the 
storage domain. I entered the NFS path. It got registered, but then the ansible 
playbook  errors out with 

[ INFO  ] TASK [ovirt.hosted_engine_setup : Add VM]
[ ERROR ] Error: Fault reason is "Operation Failed". Fault detail is "[Cannot 
attach Virtual Disk. The target Data Center does not contain the Virtual 
Disk.]". HTTP response code is 409.
[ ERROR ] fatal: [localhost]: FAILED! => {"changed": false, "msg": "Fault 
reason is \"Operation Failed\". Fault detail is \"[Cannot attach Virtual Disk. 
The target Data Center does not contain the Virtual Disk.]\". HTTP response 
code is 409."}
[ ERROR ] Failed to execute stage 'Closing up': Failed executing 
ansible-playbook
[ INFO  ] Stage: Clean up
[ INFO  ] Cleaning temporary resources

I see that there is a bug report on 
https://bugzilla.redhat.com/show_bug.cgi?id=1649424

Any idea how to get around this error ?

Additionally I now have a HostedEngineLocal (shut off) on that node... How do I 
remove it?
engine-cleanup ?

Have to get some sleep.

best regards. 
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZFCLFWRN6XR6KMHMC63O7J37D5GNPVKZ/

[ovirt-users] Re: replaced ovirt certs, now i'm locked out with unable to find valid certification path

[michael]

This had nothing to do with LDAP or anything, just trying to change the cert to 
a 3rd party signed one. Until I did those two steps I was unable to sign into 
the portal, as I just had a java error every time, it had nothing to do with 
LDAP.   For me, that SSL document is really confusing because it's not clear 
how some parts of the certs require full chain, some parts are just the actual 
3rd party cert, and some parts it seems like it says "CA" cert, does it mean 
the root cert?  or does it just mean the 3rd party cert you're installing?  
does it require a p12 file?  the article says "we suggest storing .p12 here" 
but it doesn't say "you must put your .p12 here".  

Right now it works, sort of.  I'm able to sign into portal, but i'm unable to 
connect to any of the VM consoles.  I don't know where to go from here, the 
article says nothing about SPICE, is spice also supposed to work after the cert 
change?  or is that part of another article that we can't see?  Is a cert 
placed wrong?  When I try to connect to a console, it errors out with "could 
not connect to server".  The log on the VM host says:

(process:31241): Spice-WARNING **: 14:04:43.782: 
reds-stream.c:469:reds_stream_ssl_accept: SSL_accept failed, error=1
139940713029056:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown 
ca:s3_pkt.c:1493:SSL alert number 48

in the engine server.log:
2019-05-04 20:09:55,479-04 INFO  [org.apache.commons.httpclient.HttpMethodBase] 
(EE-ManagedThreadFactory-engine-Thread-14097) Response content length is not 
known

and the .vv file from ovirt looks like this, it has a private cert, for the 
host, but the 3rd part for the host?  Is this right?  What about a proxy?  does 
that come into play?  Did i miss a cert?
 
[virt-viewer]
type=spice
host=172.16.x.x
port=5901
password=zYhIyn7/zVju
# Password is valid for 120 seconds.
delete-this-file=1
fullscreen=0
title=ADFSTwo:%d
toggle-fullscreen=shift+f11
release-cursor=shift+f12
secure-attention=ctrl+alt+end
tls-port=5902
enable-smartcard=0
enable-usb-autoshare=1
usb-filter=-1,-1,-1,-1,0
tls-ciphers=DEFAULT
host-subject=
ca=-BEGIN 
CERTIFICATE-\nMIIDdTCCAl2gAwIBAgILBAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx\nGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds\nb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV\nBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD\nVQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa\nDuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc\nTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb\nKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdGsnUOhugZitVtbNV4FpWi6cgKOOvyJBNP\nc1STE4U6G7weNLWLBYy5d4ux2x8gkasJU26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrX\ngzT/LCrBbBlDSgeF59N89iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV\nHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUF\nAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOzyj1hTdNGCbM+w6Dj\nY1Ub8rrvrTnhQ7k4o+YviiY776BQVv
 
nGCv04zcQLcFGUl5gE38NflNUVyRRBnMRddWQVDf9VMOyG\nj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymPAbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhH\nhm4qxFYxldBniYUr+WymXUadDKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveC\nX4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==\n-END
 CERTIFICATE-\n
secure-channels=main;inputs;cursor;playback;record;display;smartcard;usbredir
versions=rhev-win64:2.0-160;rhev-win32:2.0-160;rhel7:2.0-6;rhel6:99.0-1
newer-version-url=http://www.ovirt.org/documentation/admin-guide/virt/console-client-resources

[ovirt]
host=ovirt.wanderingmad.com:443
vm-guid=8779c8b7-18e8-49ef-aff4-d84609a519a3
sso-token=fjTGwB266hsU57uyOffllkPYG2m2wnaZnQJlUswKL3bYg9YM7rOfJ3QH-aBMibqbQsCEiV7AzPn39AWz40p_SA
admin=1

should I replace certs on the host?  
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/E6GBISUVQW2MKEKJPO65CQYW5XYHEAKB/

[ovirt-users] Re: replaced ovirt certs, now i'm locked out with unable to find valid certification path

[Yedidyah Bar David]

Hi,

On Sat, May 4, 2019 at 1:24 AM  wrote:
>
> I fixed this 30 minutes after I posted this.  So for anyone else that has 
> this issue, It turns out that the cert wan't getting imported after running 
> the command "keytool -import -alias ovirt -keystore ./cacerts -file 
> <3rdpartycert>.cer" manually, as "update-ca-trust" did not add it 
> automatically.  Also, the default password for the keystore is "changeit", 
> and I put the keystore password in the "99-custom-truststore.conf" file, not 
> the "" entry like the article says.

Can you please elaborate?

I assume you refer to this doc:

[1] https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html

I never tried configuring access to LDAP (TLS or not).

I think you either mix things a bit, or I fail to follow. In particular:

ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD should indeed usually be empty.
If you use a custom trust store for this, instead of the system-wide
/etc/pki/java/cacerts, it's indeed up to you - you can protect it with
a password, and then have to provide that password in this param.

"changeit" is the default password for the engine-internal truststore,
"/etc/pki/ovirt-engine/.truststore". But above procedure does not
suggest to add your 3rd-party CA cert there. If you need to, that's a
bug. We recently fixed such a bug:

https://bugzilla.redhat.com/1687301

"keytool -import -alias ovirt -keystore ./cacerts -file
<3rdpartycert>.cer" is mentioned only in the second part, about LDAP
access. It suggests to create another truststore, and use that in the
aaa configuration. You should indeed use the same password when
creating it and in the aaa conf (but do not need to do that in the
engine conf).

On Sat, May 4, 2019 at 2:23 AM  wrote:
>
> It appears I spoke too soon, even though I can now get into the ovirt portal, 
> I can't connect with the spice console.  Even after recopying the cert and 
> key over and restarting the service.

Please provide more details: What exactly did you change when trying
to use 3rd-party CA certs? What error do you get and where? What do
you see in relevant log files?

Thanks and best regards,
-- 
Didi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/C25UX6TZNSISXCPPVMXMPZIA73DHSS7M/