[ovirt-users] How to recreate Ovirt CA from scratch

Tue, 19 Feb 2019 05:18:01 -0800 

Hi list,
during our datacenter lifetime many things changed. We moved the engine
twice on different hosts with, of course, different FQDNs, and many
other changes. Now we are stuck with an error when we try to upload an
image to a data domain. The error is somehow bound to a failure to
validate the ovirt-imageio-proxy certificate and, since the current root
CA certificate is still signed with sha1WithRSAEncryption we'd like to
regenerate the whole CA.

That's the steps we've done.. without success...

1) Make a tar.gz of the /etc/pki/ovirt-engine as backup
2) Create a new CA cert using the same private key:
        openssl req -key /etc/pki/ovirt-engine/private/ca.pem -new -x509 -days
3650 -sha256 -extensions v3_ca -out newca.cert.pem
3) Put the new CA cert in place
        mv ca.pem ca.pem.orig.20190219;mv newca.cert.pem ca.pem
4) Resign all the other certs
        names="engine apache websocket-proxy jboss imageio-proxy"
        for name in $names; do
        subject="$(
                openssl \
                        x509 \
                        -in /etc/pki/ovirt-engine/certs/"${name}".cer \
                        -noout \
                        -subject \
                | sed \
                        's;subject= \(.*\);\1;' \
                )"
        /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh \
            --name="${name}" \
            --password=mypass \
            --subject="${subject}" \
            --keep-key
        done
5) Restart all the services
        systemctl restart httpd
        systemctl restart ovirt-engine
        systemctl restart ovirt-websocket-proxy
        systemctl restart ovirt-imageio-proxy


The following step was to take the backup at 1) and fall back to the
initial state because nothing worked as expected.

There's any documented procedure about how to recreate Ovirt CA from
scratch??

Thanks in advance
-- 
gb

PGP Key: http://pgp.mit.edu/
Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BBHOYNCALUHU7HQJOXA7KCN2MDFRT6JR/

Reply via email to