[ovirt-users] Re: VDSM certs expired, manual renewal not working
How did you update keys/engine.p12? ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/WK23TUNISYVE7JFYZOGE3YTONABNGQLE/
[ovirt-users] Re: VDSM certs expired, manual renewal not working
I did not but I finally found the issue, what a ride this was.. After updating keys/engine.p12 hosts finally showed up. While there are probably more certs outdated and some parts not working now I can finally do regular enrollments. I was right all along, the auth cert was causing the problem, I just had to find it. Unfortunately zero docs on engine.p12 so it was all deduction and luck in the end. On 10/03/2023 11:41, Patrick Chiang wrote: Hi, Yes, that is the exact guide I followed. I can now actually use vdsm-client on each host after cert swap but ovirt-engine still can't establish connection. I had to manually generate the apache certs to get into the UI console at the beginning and that was successful. Is there a specific cert that ovirt-engine uses for mTLS handshahe? Did you also try these? mgr cert expired https://access.redhat.com/solutions/4780411 host cert expired https://access.redhat.com/solutions/3532921 Another one for host cert expiration https://access.redhat.com/solutions/6215911 manually connect to guest VM https://access.redhat.com/solutions/3830921 I refer to these to fix my certs. Not sure if you can find the useful info you want? Patrick___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/EDTL6V27GRCZYZW7E2KWIQZPVFZMVT2I/
[ovirt-users] Re: VDSM certs expired, manual renewal not working
Hi, Yes, that is the exact guide I followed. > I can now actually use vdsm-client on each host after cert swap but > ovirt-engine still can't establish connection. > > I had to manually generate the apache certs to get into the UI console at > the beginning and that was successful. > > Is there a specific cert that ovirt-engine uses for mTLS handshahe? > Did you also try these? mgr cert expired https://access.redhat.com/solutions/4780411 host cert expired https://access.redhat.com/solutions/3532921 Another one for host cert expiration https://access.redhat.com/solutions/6215911 manually connect to guest VM https://access.redhat.com/solutions/3830921 I refer to these to fix my certs. Not sure if you can find the useful info you want? Patrick ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/2WHCSL7WNC6EBGKQ2SD4CZ2FJJ7DZLZW/
[ovirt-users] Re: VDSM certs expired, manual renewal not working
Yes, that is the exact guide I followed. I can now actually use vdsm-client on each host after cert swap but ovirt-engine still can't establish connection. I had to manually generate the apache certs to get into the UI console at the beginning and that was successful. Is there a specific cert that ovirt-engine uses for mTLS handshahe? On 10/03/2023 07:54, Patrick Chiang wrote: Hi, Where do host certs need to be stored on the ovirt-engine side? Did you try this link? https://access.redhat.com/solutions/3532921 How to manually renew RHV host SSL certificate if expired? You can register a Red Hat developer subscription (free) to access this link. Patrick___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/EM52NJGLGSO76C6YB7B2RYQS2XCKTM4X/
[ovirt-users] Re: VDSM certs expired, manual renewal not working
Hi, Where do host certs need to be stored on the ovirt-engine side? > Did you try this link? https://access.redhat.com/solutions/3532921 How to manually renew RHV host SSL certificate if expired? You can register a Red Hat developer subscription (free) to access this link. Patrick ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/DJVWQB6ADHFE7EVLA5INL6VWFR5VW3UN/
[ovirt-users] Re: VDSM certs expired, manual renewal not working
To continue the troubleshooting, I believe there is mutual SSL between ovirt-engine and host so I think what I am missing is to put this new cert for ovirt-engine to use it as client cert auth. But where to put it? I noticed that generating the cert does not put it in /etc/pki/ovirt-engine/certs altho I am not sure if that is significant or not. I tried to manually replace the cert there named hostname.cer but it doesn't do anything. Where do host certs need to be stored on the ovirt-engine side? I also updated the libvirt-migrate cert which has it's own key and different CA but that didn't make a difference. Best regards On 10/03/2023 05:13, cen wrote: Hi Our VDSM certs have expired, both hosts are unassigned and can't be put into maintenance from UI. vdsm-client is not working, times out even with --insecure flag. Does host and port need to be specified when run locally or should defaults work? Error in console events is: Get Host Capabilities Failed: PKIX path validation failed... I followed a RHV guide for this exact situation and generated new vdsm certificate using the ovirt-engine CA. The new cert seems identical to the old one, everything matches (algos, extensions, CA, CN, SAN etc) just new date. After restarting libvirtd and vdsmd on the host with new cert in place the host is still not reachable. However, error message is now slightly different: get Host Capabilities failed: Received fatal error: certificate_expired Cert was replaced in the following locations: /etc/pki/vdsm/certs/vdsmcert.pem /etc/pki/vdsm/libvirt-spice/server-cert.pem /etc/pki/libvirt/clientcert.pem Is there another location missing? What else can I try? All help appreciated in advance ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/HLYWZLI6OZ5CEY2WDQS5E6YKYJWZQS2F/
