[ovirt-users] Re: how to force engine certificate renewal

2022-06-06 Thread Gianluca Cecchi 
On Mon, Jun 6, 2022 at 3:08 PM Maton, Brett 
wrote:

> Hi Gianluca,
>
>   My issue is I'm getting the alert, but 'engine-setup --offline' is not
> offering to update the certificates.
>   At the moment I'm hoping it's simply that engine is reporting that
> certificates need to be renewed before engine-setup is configured to offer
> the option to upgrade.
>
> Cheers,
> Brett
>
>
Yes, I understood it and I also subscribed to your bugzilla.
My post was to give a sample of an expiry offset sufficient to get the
prompt...
My suspicion is that the web admin portal has hardcoded a 6 months notice,
while the "engine-setup" command has a 3 months one.
It should be easy to verify for someone who knows the code (not me... ;-).

Gianluca
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/2MC2HPIFCZMDU34D3FHAONG6FIKYLCJC/

[ovirt-users] Re: how to force engine certificate renewal

2022-06-06 Thread Maton, Brett 
Hi Gianluca,

  My issue is I'm getting the alert, but 'engine-setup --offline' is not
offering to update the certificates.
  At the moment I'm hoping it's simply that engine is reporting that
certificates need to be renewed before engine-setup is configured to offer
the option to upgrade.

Cheers,
Brett

On Mon, 6 Jun 2022 at 14:05, Gianluca Cecchi 
wrote:

> On Mon, Jun 6, 2022 at 2:54 PM Maton, Brett 
> wrote:
>
>> Opened a bug report:  2093954 – Engine certificate alert, no option to
>> update offered by engine-setup (redhat.com)
>> 
>>
>>
> A the beginning of last week I had to apply a certificate renewal on a RHV
> 4.4.7 environment.
> It is the commercial product but I think pretty similar in behaviour to
> the corresponding oVirt release. The engine certificate would have expired
> on 17th of August, so in between 2 and 3 months later.
>
> The command "engine-setup --offline" automatically proposed to renew them.
> It gave:
> "
>   --== PKI CONFIGURATION ==--
>
>   One or more of the certificates should be renewed, because they
> expire soon, or include an invalid expiry date, or they were created with
> validity period longer than 398 days, or do not include the subjectAltName
> extension, which can cause them to be rejected by recent browsers and up to
> date hosts.
>   See https://access.redhat.com/solutions/1572983 for more
> details.
>   Renew certificates? (Yes, No) [No]: Yes
> "
> and then going ahead:
>
> "
> . . .
> [ INFO  ] Upgrading CA
> [ INFO  ] Renewing engine certificate
> [ INFO  ] Renewing jboss certificate
> [ INFO  ] Renewing websocket-proxy certificate
> [ INFO  ] Renewing apache certificate
> [ INFO  ] Renewing reports certificate
> [ INFO  ] Updating OVN SSL configuration
> [ INFO  ] Updating OVN timeout configuration
> . . .
> [ INFO  ] Restarting httpd
>   Web access is enabled at:
>   http://my_engine:80/ovirt-engine
>   https://my_egine:443/ovirt-engine
> . . .
>   --== END OF SUMMARY ==--
> "
>
> But I don't know the exact number of days under which to get the prompt
> and if this number is in any way configurable...
> Gianluca
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3RZ6K22L3M72MTR7RLFEKNKSUETKD2DC/

[ovirt-users] Re: how to force engine certificate renewal

2022-06-06 Thread Gianluca Cecchi 
On Mon, Jun 6, 2022 at 2:54 PM Maton, Brett 
wrote:

> Opened a bug report:  2093954 – Engine certificate alert, no option to
> update offered by engine-setup (redhat.com)
> 
>
>
A the beginning of last week I had to apply a certificate renewal on a RHV
4.4.7 environment.
It is the commercial product but I think pretty similar in behaviour to the
corresponding oVirt release. The engine certificate would have expired on
17th of August, so in between 2 and 3 months later.

The command "engine-setup --offline" automatically proposed to renew them.
It gave:
"
  --== PKI CONFIGURATION ==--

  One or more of the certificates should be renewed, because they
expire soon, or include an invalid expiry date, or they were created with
validity period longer than 398 days, or do not include the subjectAltName
extension, which can cause them to be rejected by recent browsers and up to
date hosts.
  See https://access.redhat.com/solutions/1572983 for more details.
  Renew certificates? (Yes, No) [No]: Yes
"
and then going ahead:

"
. . .
[ INFO  ] Upgrading CA
[ INFO  ] Renewing engine certificate
[ INFO  ] Renewing jboss certificate
[ INFO  ] Renewing websocket-proxy certificate
[ INFO  ] Renewing apache certificate
[ INFO  ] Renewing reports certificate
[ INFO  ] Updating OVN SSL configuration
[ INFO  ] Updating OVN timeout configuration
. . .
[ INFO  ] Restarting httpd
  Web access is enabled at:
  http://my_engine:80/ovirt-engine
  https://my_egine:443/ovirt-engine
. . .
  --== END OF SUMMARY ==--
"

But I don't know the exact number of days under which to get the prompt and
if this number is in any way configurable...
Gianluca
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/USQEBUUR3V7LCWDIJ5YRTSMLFHTLJZDF/

[ovirt-users] Re: how to force engine certificate renewal

2022-06-06 Thread Maton, Brett 
Opened a bug report:  2093954 – Engine certificate alert, no option to
update offered by engine-setup (redhat.com)


On Mon, 6 Jun 2022 at 13:06, Patrick Hibbs  wrote:

> I wouldn't force it. I tried that last week and spent the weekend
> reinstalling the engine host. Due to the engine no longer being able to
> install new / reinstall existing hosts or enroll host certificates after
> doing so.
>
> Might just be better to wait until engine-setup does it automatically.
>
> -Patrick Hibbs
>
> On Mon, 2022-06-06 at 07:26 +0100, Maton, Brett wrote:
>
> oVirt: 4.5.0.8-1.el8
>
> Hi,
>
>   I got a warning yesterday that the engine certificate is 'about' to
> expire, in 6 months
>
>   Engine's certification is about to expire at 2022-12-10. Please renew
> the engine's certification.
>
>   I tried 'engine-setup --offline' but wasn't prompted to update the
> engine certificate.
>
> Regards,
> Brett
>
> On Thu, 26 May 2022 at 10:14, Gianluca Cecchi 
> wrote:
>
> Hello,
> I'm currently still on 4.4.x.
> Suppose I have an engine certificate expiring on mid August and I want to
> force renew it now using "engine-setup --offline" command.
> How can I do it if possible?
> How many days before expiration I get the message that it is expiring soon
> with a proposal of renewing it when running "engine-setup"?
>
> Thanks,
> Gianluca
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/4BZ724AJQ3OWJRZLCSR2Y3PPCBKG7QNC/
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/PWETJKNUX4WXAWCAYSWVMY6QSV46GVZK/
>
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/YFVV2L2C4GFLO5I5AKYBZN5QLA3ERBXD/
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/44JAJE7EJLYHPYI767D4GHB6WN45DE5F/

[ovirt-users] Re: how to force engine certificate renewal

2022-06-06 Thread Patrick Hibbs 
I wouldn't force it. I tried that last week and spent the weekend
reinstalling the engine host. Due to the engine no longer being able to
install new / reinstall existing hosts or enroll host certificates
after doing so.

Might just be better to wait until engine-setup does it automatically.

-Patrick Hibbs

On Mon, 2022-06-06 at 07:26 +0100, Maton, Brett wrote:
> oVirt: 4.5.0.8-1.el8
> 
> Hi,
> 
>   I got a warning yesterday that the engine certificate is 'about' to
> expire, in 6 months
> >   Engine's certification is about to expire at 2022-12-10. Please
> > renew the engine's certification.
> > 
> 
>   I tried 'engine-setup --offline' but wasn't prompted to update the
> engine certificate.
> 
> Regards,
> Brett
> 
> On Thu, 26 May 2022 at 10:14, Gianluca Cecchi
>  wrote:
> > Hello,
> > I'm currently still on 4.4.x.
> > Suppose I have an engine certificate expiring on mid August and I
> > want to force renew it now using "engine-setup --offline" command.
> > How can I do it if possible?
> > How many days before expiration I get the message that it is
> > expiring soon with a proposal of renewing it when running "engine-
> > setup"?
> > 
> > Thanks,
> > Gianluca
> > ___
> > Users mailing list -- users@ovirt.org
> > To unsubscribe send an email to users-le...@ovirt.org
> > Privacy Statement: https://www.ovirt.org/privacy-policy.html
> > oVirt Code of Conduct:
> > https://www.ovirt.org/community/about/community-guidelines/
> > List Archives:
> >
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/4BZ724AJQ3OWJRZLCSR2Y3PPCBKG7QNC/
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/PWETJKNUX4WXAWCAYSWVMY6QSV46GVZK/

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/YFVV2L2C4GFLO5I5AKYBZN5QLA3ERBXD/

[ovirt-users] Re: how to force engine certificate renewal

2022-06-06 Thread Maton, Brett 
oVirt: 4.5.0.8-1.el8

Hi,

  I got a warning yesterday that the engine certificate is 'about' to
expire, in 6 months

>   Engine's certification is about to expire at 2022-12-10. Please renew
> the engine's certification.

  I tried 'engine-setup --offline' but wasn't prompted to update the engine
certificate.

Regards,
Brett

On Thu, 26 May 2022 at 10:14, Gianluca Cecchi 
wrote:

> Hello,
> I'm currently still on 4.4.x.
> Suppose I have an engine certificate expiring on mid August and I want to
> force renew it now using "engine-setup --offline" command.
> How can I do it if possible?
> How many days before expiration I get the message that it is expiring soon
> with a proposal of renewing it when running "engine-setup"?
>
> Thanks,
> Gianluca
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/4BZ724AJQ3OWJRZLCSR2Y3PPCBKG7QNC/
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PWETJKNUX4WXAWCAYSWVMY6QSV46GVZK/