subject:"\[ovirt\-users\] Re\: Upgrade 4.3 to 4.4 node to manager communication error"

[ovirt-users] Re: Upgrade 4.3 to 4.4 node to manager communication error

2020-09-03 Thread Pierre Labanowski


Le 03/09/2020 à 15:49, Martin Perina a écrit :
>
>
> On Thu, Sep 3, 2020 at 2:56 PM Pierre pit  > wrote:
>
> I have a communication problem between all the nodes and the
> manager following the upgrade from 4.3 to 4.4. I followed the
> procedure of update 4.3 to 4.4 everything worked correctly,
> according to the import export scripts as well as the installation
> setup on the new manager in 4.4, all is ok. Only after connection
> to the manager, all the nodes are in a down state, there is no
> more communication between the manager newly installed in 4.4 and
> the nodes still in production in 4.3.
>
> In the manager I have this message for all the nodes:
> ` VDSM virtdell8 command Get Host Capabilities failed: PKIX path
> validation failed: java.security.cert.CertPathValidatorException:
> Algorithm constraints check failed on signature algorithm:
> SHA256withRSA`
>
>
> Hi Pierre,
>
> Hmm, the following error is a bit misleading, but it gives a clue to
> me. Could you please check the key size of your ovirt-engine CA key?
>
> openssl x509 -text -noout -in /etc/pki/ovirt-engine/ca.pem | grep 'RSA
> Public-Key'

Hi Martin,

Thank you very much for your answer. indeed the size of the key is 1024
bits. I made the command "update-crypto-policies --set LEGACY" (I don't
know this command)
Everything is ok now. thank you very much for your expertise. \o/


>
> If your key size is less than 2048 bits, then you need to change
> crypto policy of your CentOS 8 to LEGACY using below steps:
>
> 1. Execute 'update-crypto-policies --set LEGACY'
> 2. Reboot the machine
>
> That should mitigate the issue, but I'm really curious, this should
> not happen unless your engine was installed in oVirt 3.0 era and then
> continuously upgraded up to 4.4, because we have switched to 2048 bits
> in 2012:


It has actually been a long time since I upgrade ovirt from version to
version. i had some mishaps with ovirt 2.2 and it seems to me since
ovirt 3.0 the upgrade is done regularly.


>
> https://gerrit.ovirt.org/4389
>
> Is this your case?
>
no, is not me

again thanks for your reply i could not find it all alone.

Regards,

Pierre


>
> Regards,
> Martin
>
>
> And on the nodes:
> ` 2020-09-01 17:38:13,083+0200 ERROR (Reactor thread)
> [ProtocolDetector.SSLHandshakeDispatcher] ssl handshake: SSLError,
> address: :::XXX.XXX.XXX.XXX (sslutils:264)
>  vdsm[4400]: ERROR ssl handshake: SSLError, address:
> :::XXX.XXX.XXX.XXX`
>
> After a search on the forums I found a similar error on version
> 4.2 only the solution of comment `ssl_excludes` in the
> `/etc/vdsm/vdsm.conf` file but does not apply to my problem.
>
> I unfortunately had to backtrack because it was no longer possible
> to control ovirt and use the manager for our production. the new
> machine with the manager in 4.4 is offline while a solution is found
>
> Do you know where should I look in order to solve this problem?
>
> thank you in advance
> Pierre
> ___
> Users mailing list -- users@ovirt.org 
> To unsubscribe send an email to users-le...@ovirt.org
> 
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> 
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/CE34HLTRN54HVOJNK3ZCNXH66CIYFSQS/
>
>
>
> -- 
> Martin Perina
> Manager, Software Engineering
> Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BGPZHSLNRLIA5JQU2BDX2PFWADAHDVOP/

[ovirt-users] Re: Upgrade 4.3 to 4.4 node to manager communication error

2020-09-03 Thread Yedidyah Bar David

On Thu, Sep 3, 2020 at 4:49 PM Martin Perina  wrote:
>
>
>
> On Thu, Sep 3, 2020 at 2:56 PM Pierre pit  wrote:
>>
>> I have a communication problem between all the nodes and the manager 
>> following the upgrade from 4.3 to 4.4. I followed the procedure of update 
>> 4.3 to 4.4 everything worked correctly, according to the import export 
>> scripts as well as the installation setup on the new manager in 4.4, all is 
>> ok. Only after connection to the manager, all the nodes are in a down state, 
>> there is no more communication between the manager newly installed in 4.4 
>> and the nodes still in production in 4.3.
>>
>> In the manager I have this message for all the nodes:
>> ` VDSM virtdell8 command Get Host Capabilities failed: PKIX path validation 
>> failed: java.security.cert.CertPathValidatorException: Algorithm constraints 
>> check failed on signature algorithm: SHA256withRSA`

Are you sure this is the full error? Searching for it in google finds
me only 2 results. Dropping "SHA256withRSA" finds about 770, which
gave me a clue to search for:

"Algorithm constraints check failed on signature
algorithm:SHA256WithRSAEncryption"

which finds 25 results. Not that many, but more than 2.

>
>
> Hi Pierre,
>
> Hmm, the following error is a bit misleading, but it gives a clue to me. 
> Could you please check the key size of your ovirt-engine CA key?
>
> openssl x509 -text -noout -in /etc/pki/ovirt-engine/ca.pem | grep 'RSA 
> Public-Key'
>
> If your key size is less than 2048 bits, then you need to change crypto 
> policy of your CentOS 8 to LEGACY using below steps:
>
> 1. Execute 'update-crypto-policies --set LEGACY'
> 2. Reboot the machine
>
> That should mitigate the issue, but I'm really curious, this should not 
> happen unless your engine was installed in oVirt 3.0 era and then 
> continuously upgraded up to 4.4, because we have switched to 2048 bits in 
> 2012:
>
> https://gerrit.ovirt.org/4389
>
> Is this your case?

Also: anything non-default, non-standard about your setup? Either
before or after the upgrade? In particular, added yum/dnf repos (such
as EPEL)? Which openjdk versions do you have installed?

Best regards,

>
>
> Regards,
> Martin
>
>>
>> And on the nodes:
>> ` 2020-09-01 17:38:13,083+0200 ERROR (Reactor thread) 
>> [ProtocolDetector.SSLHandshakeDispatcher] ssl handshake: SSLError, address: 
>> :::XXX.XXX.XXX.XXX (sslutils:264)
>>  vdsm[4400]: ERROR ssl handshake: SSLError, address: :::XXX.XXX.XXX.XXX`
>>
>> After a search on the forums I found a similar error on version 4.2 only the 
>> solution of comment `ssl_excludes` in the `/etc/vdsm/vdsm.conf` file but 
>> does not apply to my problem.
>>
>> I unfortunately had to backtrack because it was no longer possible to 
>> control ovirt and use the manager for our production. the new machine with 
>> the manager in 4.4 is offline while a solution is found
>>
>> Do you know where should I look in order to solve this problem?
>>
>> thank you in advance
>> Pierre
>> ___
>> Users mailing list -- users@ovirt.org
>> To unsubscribe send an email to users-le...@ovirt.org
>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>> oVirt Code of Conduct: 
>> https://www.ovirt.org/community/about/community-guidelines/
>> List Archives: 
>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/CE34HLTRN54HVOJNK3ZCNXH66CIYFSQS/
>
>
>
> --
> Martin Perina
> Manager, Software Engineering
> Red Hat Czech s.r.o.



-- 
Didi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/OIBZ6BKURLAAP77XHZAWAINB2DBSB2MD/

[ovirt-users] Re: Upgrade 4.3 to 4.4 node to manager communication error

2020-09-03 Thread Martin Perina

On Thu, Sep 3, 2020 at 2:56 PM Pierre pit  wrote:

> I have a communication problem between all the nodes and the manager
> following the upgrade from 4.3 to 4.4. I followed the procedure of update
> 4.3 to 4.4 everything worked correctly, according to the import export
> scripts as well as the installation setup on the new manager in 4.4, all is
> ok. Only after connection to the manager, all the nodes are in a down
> state, there is no more communication between the manager newly installed
> in 4.4 and the nodes still in production in 4.3.
>
> In the manager I have this message for all the nodes:
> ` VDSM virtdell8 command Get Host Capabilities failed: PKIX path
> validation failed: java.security.cert.CertPathValidatorException: Algorithm
> constraints check failed on signature algorithm: SHA256withRSA`
>

Hi Pierre,

Hmm, the following error is a bit misleading, but it gives a clue to me.
Could you please check the key size of your ovirt-engine CA key?

openssl x509 -text -noout -in /etc/pki/ovirt-engine/ca.pem | grep 'RSA
Public-Key'

If your key size is less than 2048 bits, then you need to change crypto
policy of your CentOS 8 to LEGACY using below steps:

1. Execute 'update-crypto-policies --set LEGACY'
2. Reboot the machine

That should mitigate the issue, but I'm really curious, this should not
happen unless your engine was installed in oVirt 3.0 era and then
continuously upgraded up to 4.4, because we have switched to 2048 bits in
2012:

https://gerrit.ovirt.org/4389

Is this your case?


Regards,
Martin


> And on the nodes:
> ` 2020-09-01 17:38:13,083+0200 ERROR (Reactor thread)
> [ProtocolDetector.SSLHandshakeDispatcher] ssl handshake: SSLError, address:
> :::XXX.XXX.XXX.XXX (sslutils:264)
>  vdsm[4400]: ERROR ssl handshake: SSLError, address:
> :::XXX.XXX.XXX.XXX`
>
> After a search on the forums I found a similar error on version 4.2 only
> the solution of comment `ssl_excludes` in the `/etc/vdsm/vdsm.conf` file
> but does not apply to my problem.
>
> I unfortunately had to backtrack because it was no longer possible to
> control ovirt and use the manager for our production. the new machine with
> the manager in 4.4 is offline while a solution is found
>
> Do you know where should I look in order to solve this problem?
>
> thank you in advance
> Pierre
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/CE34HLTRN54HVOJNK3ZCNXH66CIYFSQS/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/7HGFTJMMZYUUGW2O3IMP27RKABRISTLD/

[ovirt-users] Re: Upgrade 4.3 to 4.4 node to manager communication error

[ovirt-users] Re: Upgrade 4.3 to 4.4 node to manager communication error

[ovirt-users] Re: Upgrade 4.3 to 4.4 node to manager communication error

3 matches

Site Navigation

Mail list logo

Footer information