[ovirt-users] Problem with restoring engine
Hello today I tried to migrate the hosted engine from our Default Datacenter (NFS) to our Ceph Datacenter. The deployment worked with the automatic "hosted-engine --deploy --restore-from-file=backup/file_name" command. Perfect. Only thing is: I messed up with the cluster name. The name should be Luise01 but I entered Luise1. Duh... Now I want to bring the engine back to the Default Datacenter. Easy thing. Just repeat the same steps again. 1. Enable global ha maintenenace 2. Stop and disable the engine 3. create the engine backup 4 ... continue with all the steps from chapter 13.1.8 RHEV Docs 4.3 Beta. Everything looked great. The ansible playbook was running, then asking for the storage domain. I entered the NFS path. It got registered, but then the ansible playbook errors out with [ INFO ] TASK [ovirt.hosted_engine_setup : Add VM] [ ERROR ] Error: Fault reason is "Operation Failed". Fault detail is "[Cannot attach Virtual Disk. The target Data Center does not contain the Virtual Disk.]". HTTP response code is 409. [ ERROR ] fatal: [localhost]: FAILED! => {"changed": false, "msg": "Fault reason is \"Operation Failed\". Fault detail is \"[Cannot attach Virtual Disk. The target Data Center does not contain the Virtual Disk.]\". HTTP response code is 409."} [ ERROR ] Failed to execute stage 'Closing up': Failed executing ansible-playbook [ INFO ] Stage: Clean up [ INFO ] Cleaning temporary resources I see that there is a bug report on https://bugzilla.redhat.com/show_bug.cgi?id=1649424 Any idea how to get around this error ? Additionally I now have a HostedEngineLocal (shut off) on that node... How do I remove it? engine-cleanup ? Have to get some sleep. best regards. ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZFCLFWRN6XR6KMHMC63O7J37D5GNPVKZ/
[ovirt-users] Re: replaced ovirt certs, now i'm locked out with unable to find valid certification path
This had nothing to do with LDAP or anything, just trying to change the cert to a 3rd party signed one. Until I did those two steps I was unable to sign into the portal, as I just had a java error every time, it had nothing to do with LDAP. For me, that SSL document is really confusing because it's not clear how some parts of the certs require full chain, some parts are just the actual 3rd party cert, and some parts it seems like it says "CA" cert, does it mean the root cert? or does it just mean the 3rd party cert you're installing? does it require a p12 file? the article says "we suggest storing .p12 here" but it doesn't say "you must put your .p12 here". Right now it works, sort of. I'm able to sign into portal, but i'm unable to connect to any of the VM consoles. I don't know where to go from here, the article says nothing about SPICE, is spice also supposed to work after the cert change? or is that part of another article that we can't see? Is a cert placed wrong? When I try to connect to a console, it errors out with "could not connect to server". The log on the VM host says: (process:31241): Spice-WARNING **: 14:04:43.782: reds-stream.c:469:reds_stream_ssl_accept: SSL_accept failed, error=1 139940713029056:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1493:SSL alert number 48 in the engine server.log: 2019-05-04 20:09:55,479-04 INFO [org.apache.commons.httpclient.HttpMethodBase] (EE-ManagedThreadFactory-engine-Thread-14097) Response content length is not known and the .vv file from ovirt looks like this, it has a private cert, for the host, but the 3rd part for the host? Is this right? What about a proxy? does that come into play? Did i miss a cert? [virt-viewer] type=spice host=172.16.x.x port=5901 password=zYhIyn7/zVju # Password is valid for 120 seconds. delete-this-file=1 fullscreen=0 title=ADFSTwo:%d toggle-fullscreen=shift+f11 release-cursor=shift+f12 secure-attention=ctrl+alt+end tls-port=5902 enable-smartcard=0 enable-usb-autoshare=1 usb-filter=-1,-1,-1,-1,0 tls-ciphers=DEFAULT host-subject= ca=-BEGIN CERTIFICATE-\nMIIDdTCCAl2gAwIBAgILBAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx\nGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds\nb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV\nBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD\nVQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa\nDuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc\nTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb\nKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdGsnUOhugZitVtbNV4FpWi6cgKOOvyJBNP\nc1STE4U6G7weNLWLBYy5d4ux2x8gkasJU26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrX\ngzT/LCrBbBlDSgeF59N89iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV\nHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUF\nAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOzyj1hTdNGCbM+w6Dj\nY1Ub8rrvrTnhQ7k4o+YviiY776BQVv nGCv04zcQLcFGUl5gE38NflNUVyRRBnMRddWQVDf9VMOyG\nj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymPAbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhH\nhm4qxFYxldBniYUr+WymXUadDKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveC\nX4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==\n-END CERTIFICATE-\n secure-channels=main;inputs;cursor;playback;record;display;smartcard;usbredir versions=rhev-win64:2.0-160;rhev-win32:2.0-160;rhel7:2.0-6;rhel6:99.0-1 newer-version-url=http://www.ovirt.org/documentation/admin-guide/virt/console-client-resources [ovirt] host=ovirt.wanderingmad.com:443 vm-guid=8779c8b7-18e8-49ef-aff4-d84609a519a3 sso-token=fjTGwB266hsU57uyOffllkPYG2m2wnaZnQJlUswKL3bYg9YM7rOfJ3QH-aBMibqbQsCEiV7AzPn39AWz40p_SA admin=1 should I replace certs on the host? ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/E6GBISUVQW2MKEKJPO65CQYW5XYHEAKB/
[ovirt-users] Re: replaced ovirt certs, now i'm locked out with unable to find valid certification path
Hi, On Sat, May 4, 2019 at 1:24 AM wrote: > > I fixed this 30 minutes after I posted this. So for anyone else that has > this issue, It turns out that the cert wan't getting imported after running > the command "keytool -import -alias ovirt -keystore ./cacerts -file > <3rdpartycert>.cer" manually, as "update-ca-trust" did not add it > automatically. Also, the default password for the keystore is "changeit", > and I put the keystore password in the "99-custom-truststore.conf" file, not > the "" entry like the article says. Can you please elaborate? I assume you refer to this doc: [1] https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html I never tried configuring access to LDAP (TLS or not). I think you either mix things a bit, or I fail to follow. In particular: ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD should indeed usually be empty. If you use a custom trust store for this, instead of the system-wide /etc/pki/java/cacerts, it's indeed up to you - you can protect it with a password, and then have to provide that password in this param. "changeit" is the default password for the engine-internal truststore, "/etc/pki/ovirt-engine/.truststore". But above procedure does not suggest to add your 3rd-party CA cert there. If you need to, that's a bug. We recently fixed such a bug: https://bugzilla.redhat.com/1687301 "keytool -import -alias ovirt -keystore ./cacerts -file <3rdpartycert>.cer" is mentioned only in the second part, about LDAP access. It suggests to create another truststore, and use that in the aaa configuration. You should indeed use the same password when creating it and in the aaa conf (but do not need to do that in the engine conf). On Sat, May 4, 2019 at 2:23 AM wrote: > > It appears I spoke too soon, even though I can now get into the ovirt portal, > I can't connect with the spice console. Even after recopying the cert and > key over and restarting the service. Please provide more details: What exactly did you change when trying to use 3rd-party CA certs? What error do you get and where? What do you see in relevant log files? Thanks and best regards, -- Didi ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/C25UX6TZNSISXCPPVMXMPZIA73DHSS7M/