Re: [ovirt-users] Cannot install new host on 4.0, Certificate enrollment failed
Yes, I thought the same, good to have it cleared out! Thanks a lot, I like to know how it's running :) 2016-07-20 13:26 GMT+02:00 Juan Hernández : > On 07/20/2016 01:21 PM, Matt . wrote: >> Hi, >> >> Thanks a lot, it's good to know about this. >> >> There is no way to shorten the commonname ? or wil it aways used the >> hostname there, as it's cn I doubt if we can use something else there. >> >> Thanks! >> >> Matt >> > > I think it can't be shortened, as most TLS/SSL clients check that the > host name matches exactly the common name inside the certificate, and > this check would fail if you shorten it. > >> >> >> 2016-07-20 13:07 GMT+02:00 Juan Hernández : >>> On 07/20/2016 12:30 PM, Matt . wrote: Hi, I found out yesterday late I was looking in the certs folder for the serial, this was the issue all files are there. I need to test a shorter fqdn, which is a pity, but I wonder why it should be too long for a cert create. >>> >>> Looks like it is a limitation of the X.509 specification: >>> >>> ub-common-name INTEGER ::= 64 >>> ... >>> 520CommonName ::= CHOICE { >>> teletexString TeletexString (SIZE (1..ub-common-name)), >>> printableString PrintableString (SIZE (1..ub-common-name)), >>> universalString UniversalString (SIZE (1..ub-common-name)), >>> utf8StringUTF8String (SIZE (1..ub-common-name)), >>> bmpString BMPString (SIZE (1..ub-common-name)) } >>> >>> The source is RFC 5280: >>> >>> http://www.ietf.org/rfc/rfc5280.txt >>> >>> Maybe we should check these limits during the setup. >>> 2016-07-20 10:14 GMT+02:00 Juan Hernández : > On 07/19/2016 07:59 PM, Matt . wrote: >> Hi, >> >> Thanks for the heads up, I saw this in some thread too and this file >> was available here with the upcoming number. >> >> Which rightsdo the file has? >> >> I don't have a ca.pem in that cert folder anymore can that be an issue? >> > > In theory the ca.pem isn't needed to sign certificates, but the fact > that it isn't in that directory probably means that something has been > incorrectly manipulated, either manually or by the system itself. These > are the files/permissions from a working environment: > > lrwxrwxrwx. 1 root root28 Jul 8 11:34 apache-ca.pem -> > /etc/pki/ovirt-engine/ca.pem > -rw-r--r--. 1 root root 384 Jul 8 11:34 cacert.conf > -rw-r--r--. 1 root root 384 Jul 8 11:34 cacert.template > -rw-r--r--. 1 root root 384 Jul 18 20:46 cacert.template.in > -rw-r--r--. 1 root root 4587 Jul 8 11:34 ca.pem > -rw-r--r--. 1 root root 923 Jul 8 11:34 cert.conf > drwxr-xr-x. 2 ovirt ovirt 4096 Jul 18 20:46 certs > -rw-r--r--. 1 root root 923 Jul 8 11:34 cert.template > -rw-r--r--. 1 root root 717 Jul 18 20:46 cert.template.in > -rw-r--r--. 1 ovirt ovirt 667 Jul 8 11:42 database.txt > -rw-r--r--. 1 ovirt ovirt 20 Jul 8 11:42 database.txt.attr > -rw-r--r--. 1 ovirt ovirt 20 Jul 8 11:42 database.txt.attr.old > -rw-r--r--. 1 ovirt ovirt 599 Jul 8 11:42 database.txt.old > drwxr-xr-x. 2 root root 4096 Jul 18 20:46 keys > -rw-r--r--. 1 root root 548 Jul 18 20:46 openssl.conf > drwxr-x---. 2 ovirt ovirt 19 Jul 18 20:46 private > drwxr-xr-x. 2 ovirt ovirt 4096 Jul 18 20:46 requests > -rw-r--r--. 1 ovirt ovirt5 Jul 8 11:42 serial.txt > -rw-r--r--. 1 ovirt ovirt5 Jul 8 11:42 serial.txt.old > >> >> >> 2016-07-19 19:08 GMT+02:00 Juan Hernández : >>> On 07/19/2016 06:16 PM, Matt . wrote: Can anyone confirm what max. number of subdomains can be used for a certificate ? The length of 65 per subdomain should be default. 2016-07-19 15:06 GMT+02:00 Matt . : > It's the fqdn indeed, not it's hostname. > > Fqdn should be possible I thought as discussed before in the channel > (while ago). > > 2016-07-19 15:04 GMT+02:00 Yaniv Kaul : >> >> On Tue, Jul 19, 2016 at 3:43 PM, Matt . >> wrote: >>> >>> >>> kvm-01.hosts.services-01.clusters.mycluster-01.dc.ovirt.subdomain.dc-01.dc.my.network >> >> >> Is this the name of the host? perhaps it's a bit too long? >> Y. >>> >>> Not sure if this is relevant, but I had the same problem today, and the >>> cause was that the /etc/pki/ovirt-engine/serial.txt file was empty, and >>> openssl refused to open it. I wrote manually a number inside, taking the >>> value from /etc/pki/ovirt-engine/serial.txt.old (plus one), and then >>> things started to work. >>> >>> -- >>> Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta >>> 3ºD, 28016 Madrid, Spain >>> Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat >>> S.L
Re: [ovirt-users] Cannot install new host on 4.0, Certificate enrollment failed
On 07/20/2016 01:21 PM, Matt . wrote: > Hi, > > Thanks a lot, it's good to know about this. > > There is no way to shorten the commonname ? or wil it aways used the > hostname there, as it's cn I doubt if we can use something else there. > > Thanks! > > Matt > I think it can't be shortened, as most TLS/SSL clients check that the host name matches exactly the common name inside the certificate, and this check would fail if you shorten it. > > > 2016-07-20 13:07 GMT+02:00 Juan Hernández : >> On 07/20/2016 12:30 PM, Matt . wrote: >>> Hi, >>> >>> I found out yesterday late I was looking in the certs folder for the >>> serial, this was the issue all files are there. >>> >>> I need to test a shorter fqdn, which is a pity, but I wonder why it >>> should be too long for a cert create. >>> >> >> Looks like it is a limitation of the X.509 specification: >> >> ub-common-name INTEGER ::= 64 >> ... >> 520CommonName ::= CHOICE { >> teletexString TeletexString (SIZE (1..ub-common-name)), >> printableString PrintableString (SIZE (1..ub-common-name)), >> universalString UniversalString (SIZE (1..ub-common-name)), >> utf8StringUTF8String (SIZE (1..ub-common-name)), >> bmpString BMPString (SIZE (1..ub-common-name)) } >> >> The source is RFC 5280: >> >> http://www.ietf.org/rfc/rfc5280.txt >> >> Maybe we should check these limits during the setup. >> >>> >>> >>> 2016-07-20 10:14 GMT+02:00 Juan Hernández : On 07/19/2016 07:59 PM, Matt . wrote: > Hi, > > Thanks for the heads up, I saw this in some thread too and this file > was available here with the upcoming number. > > Which rightsdo the file has? > > I don't have a ca.pem in that cert folder anymore can that be an issue? > In theory the ca.pem isn't needed to sign certificates, but the fact that it isn't in that directory probably means that something has been incorrectly manipulated, either manually or by the system itself. These are the files/permissions from a working environment: lrwxrwxrwx. 1 root root28 Jul 8 11:34 apache-ca.pem -> /etc/pki/ovirt-engine/ca.pem -rw-r--r--. 1 root root 384 Jul 8 11:34 cacert.conf -rw-r--r--. 1 root root 384 Jul 8 11:34 cacert.template -rw-r--r--. 1 root root 384 Jul 18 20:46 cacert.template.in -rw-r--r--. 1 root root 4587 Jul 8 11:34 ca.pem -rw-r--r--. 1 root root 923 Jul 8 11:34 cert.conf drwxr-xr-x. 2 ovirt ovirt 4096 Jul 18 20:46 certs -rw-r--r--. 1 root root 923 Jul 8 11:34 cert.template -rw-r--r--. 1 root root 717 Jul 18 20:46 cert.template.in -rw-r--r--. 1 ovirt ovirt 667 Jul 8 11:42 database.txt -rw-r--r--. 1 ovirt ovirt 20 Jul 8 11:42 database.txt.attr -rw-r--r--. 1 ovirt ovirt 20 Jul 8 11:42 database.txt.attr.old -rw-r--r--. 1 ovirt ovirt 599 Jul 8 11:42 database.txt.old drwxr-xr-x. 2 root root 4096 Jul 18 20:46 keys -rw-r--r--. 1 root root 548 Jul 18 20:46 openssl.conf drwxr-x---. 2 ovirt ovirt 19 Jul 18 20:46 private drwxr-xr-x. 2 ovirt ovirt 4096 Jul 18 20:46 requests -rw-r--r--. 1 ovirt ovirt5 Jul 8 11:42 serial.txt -rw-r--r--. 1 ovirt ovirt5 Jul 8 11:42 serial.txt.old > > > 2016-07-19 19:08 GMT+02:00 Juan Hernández : >> On 07/19/2016 06:16 PM, Matt . wrote: >>> Can anyone confirm what max. number of subdomains can be used for a >>> certificate ? >>> >>> The length of 65 per subdomain should be default. >>> >>> 2016-07-19 15:06 GMT+02:00 Matt . : It's the fqdn indeed, not it's hostname. Fqdn should be possible I thought as discussed before in the channel (while ago). 2016-07-19 15:04 GMT+02:00 Yaniv Kaul : > > On Tue, Jul 19, 2016 at 3:43 PM, Matt . > wrote: >> >> >> kvm-01.hosts.services-01.clusters.mycluster-01.dc.ovirt.subdomain.dc-01.dc.my.network > > > Is this the name of the host? perhaps it's a bit too long? > Y. >> >> Not sure if this is relevant, but I had the same problem today, and the >> cause was that the /etc/pki/ovirt-engine/serial.txt file was empty, and >> openssl refused to open it. I wrote manually a number inside, taking the >> value from /etc/pki/ovirt-engine/serial.txt.old (plus one), and then >> things started to work. >> >> -- >> Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta >> 3ºD, 28016 Madrid, Spain >> Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. >>> ___ >>> Users mailing list
Re: [ovirt-users] Cannot install new host on 4.0, Certificate enrollment failed
Hi, Thanks a lot, it's good to know about this. There is no way to shorten the commonname ? or wil it aways used the hostname there, as it's cn I doubt if we can use something else there. Thanks! Matt 2016-07-20 13:07 GMT+02:00 Juan Hernández : > On 07/20/2016 12:30 PM, Matt . wrote: >> Hi, >> >> I found out yesterday late I was looking in the certs folder for the >> serial, this was the issue all files are there. >> >> I need to test a shorter fqdn, which is a pity, but I wonder why it >> should be too long for a cert create. >> > > Looks like it is a limitation of the X.509 specification: > > ub-common-name INTEGER ::= 64 > ... > 520CommonName ::= CHOICE { > teletexString TeletexString (SIZE (1..ub-common-name)), > printableString PrintableString (SIZE (1..ub-common-name)), > universalString UniversalString (SIZE (1..ub-common-name)), > utf8StringUTF8String (SIZE (1..ub-common-name)), > bmpString BMPString (SIZE (1..ub-common-name)) } > > The source is RFC 5280: > > http://www.ietf.org/rfc/rfc5280.txt > > Maybe we should check these limits during the setup. > >> >> >> 2016-07-20 10:14 GMT+02:00 Juan Hernández : >>> On 07/19/2016 07:59 PM, Matt . wrote: Hi, Thanks for the heads up, I saw this in some thread too and this file was available here with the upcoming number. Which rightsdo the file has? I don't have a ca.pem in that cert folder anymore can that be an issue? >>> >>> In theory the ca.pem isn't needed to sign certificates, but the fact >>> that it isn't in that directory probably means that something has been >>> incorrectly manipulated, either manually or by the system itself. These >>> are the files/permissions from a working environment: >>> >>> lrwxrwxrwx. 1 root root28 Jul 8 11:34 apache-ca.pem -> >>> /etc/pki/ovirt-engine/ca.pem >>> -rw-r--r--. 1 root root 384 Jul 8 11:34 cacert.conf >>> -rw-r--r--. 1 root root 384 Jul 8 11:34 cacert.template >>> -rw-r--r--. 1 root root 384 Jul 18 20:46 cacert.template.in >>> -rw-r--r--. 1 root root 4587 Jul 8 11:34 ca.pem >>> -rw-r--r--. 1 root root 923 Jul 8 11:34 cert.conf >>> drwxr-xr-x. 2 ovirt ovirt 4096 Jul 18 20:46 certs >>> -rw-r--r--. 1 root root 923 Jul 8 11:34 cert.template >>> -rw-r--r--. 1 root root 717 Jul 18 20:46 cert.template.in >>> -rw-r--r--. 1 ovirt ovirt 667 Jul 8 11:42 database.txt >>> -rw-r--r--. 1 ovirt ovirt 20 Jul 8 11:42 database.txt.attr >>> -rw-r--r--. 1 ovirt ovirt 20 Jul 8 11:42 database.txt.attr.old >>> -rw-r--r--. 1 ovirt ovirt 599 Jul 8 11:42 database.txt.old >>> drwxr-xr-x. 2 root root 4096 Jul 18 20:46 keys >>> -rw-r--r--. 1 root root 548 Jul 18 20:46 openssl.conf >>> drwxr-x---. 2 ovirt ovirt 19 Jul 18 20:46 private >>> drwxr-xr-x. 2 ovirt ovirt 4096 Jul 18 20:46 requests >>> -rw-r--r--. 1 ovirt ovirt5 Jul 8 11:42 serial.txt >>> -rw-r--r--. 1 ovirt ovirt5 Jul 8 11:42 serial.txt.old >>> 2016-07-19 19:08 GMT+02:00 Juan Hernández : > On 07/19/2016 06:16 PM, Matt . wrote: >> Can anyone confirm what max. number of subdomains can be used for a >> certificate ? >> >> The length of 65 per subdomain should be default. >> >> 2016-07-19 15:06 GMT+02:00 Matt . : >>> It's the fqdn indeed, not it's hostname. >>> >>> Fqdn should be possible I thought as discussed before in the channel >>> (while ago). >>> >>> 2016-07-19 15:04 GMT+02:00 Yaniv Kaul : On Tue, Jul 19, 2016 at 3:43 PM, Matt . wrote: > > > kvm-01.hosts.services-01.clusters.mycluster-01.dc.ovirt.subdomain.dc-01.dc.my.network Is this the name of the host? perhaps it's a bit too long? Y. > > Not sure if this is relevant, but I had the same problem today, and the > cause was that the /etc/pki/ovirt-engine/serial.txt file was empty, and > openssl refused to open it. I wrote manually a number inside, taking the > value from /etc/pki/ovirt-engine/serial.txt.old (plus one), and then > things started to work. > > -- > Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta > 3ºD, 28016 Madrid, Spain > Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. >>> >>> >>> -- >>> Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta >>> 3ºD, 28016 Madrid, Spain >>> Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. >> ___ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> > > > -- > Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta > 3ºD, 28016 Madrid, Spain > Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/li
Re: [ovirt-users] Cannot install new host on 4.0, Certificate enrollment failed
On 07/20/2016 12:30 PM, Matt . wrote: > Hi, > > I found out yesterday late I was looking in the certs folder for the > serial, this was the issue all files are there. > > I need to test a shorter fqdn, which is a pity, but I wonder why it > should be too long for a cert create. > Looks like it is a limitation of the X.509 specification: ub-common-name INTEGER ::= 64 ... 520CommonName ::= CHOICE { teletexString TeletexString (SIZE (1..ub-common-name)), printableString PrintableString (SIZE (1..ub-common-name)), universalString UniversalString (SIZE (1..ub-common-name)), utf8StringUTF8String (SIZE (1..ub-common-name)), bmpString BMPString (SIZE (1..ub-common-name)) } The source is RFC 5280: http://www.ietf.org/rfc/rfc5280.txt Maybe we should check these limits during the setup. > > > 2016-07-20 10:14 GMT+02:00 Juan Hernández : >> On 07/19/2016 07:59 PM, Matt . wrote: >>> Hi, >>> >>> Thanks for the heads up, I saw this in some thread too and this file >>> was available here with the upcoming number. >>> >>> Which rightsdo the file has? >>> >>> I don't have a ca.pem in that cert folder anymore can that be an issue? >>> >> >> In theory the ca.pem isn't needed to sign certificates, but the fact >> that it isn't in that directory probably means that something has been >> incorrectly manipulated, either manually or by the system itself. These >> are the files/permissions from a working environment: >> >> lrwxrwxrwx. 1 root root28 Jul 8 11:34 apache-ca.pem -> >> /etc/pki/ovirt-engine/ca.pem >> -rw-r--r--. 1 root root 384 Jul 8 11:34 cacert.conf >> -rw-r--r--. 1 root root 384 Jul 8 11:34 cacert.template >> -rw-r--r--. 1 root root 384 Jul 18 20:46 cacert.template.in >> -rw-r--r--. 1 root root 4587 Jul 8 11:34 ca.pem >> -rw-r--r--. 1 root root 923 Jul 8 11:34 cert.conf >> drwxr-xr-x. 2 ovirt ovirt 4096 Jul 18 20:46 certs >> -rw-r--r--. 1 root root 923 Jul 8 11:34 cert.template >> -rw-r--r--. 1 root root 717 Jul 18 20:46 cert.template.in >> -rw-r--r--. 1 ovirt ovirt 667 Jul 8 11:42 database.txt >> -rw-r--r--. 1 ovirt ovirt 20 Jul 8 11:42 database.txt.attr >> -rw-r--r--. 1 ovirt ovirt 20 Jul 8 11:42 database.txt.attr.old >> -rw-r--r--. 1 ovirt ovirt 599 Jul 8 11:42 database.txt.old >> drwxr-xr-x. 2 root root 4096 Jul 18 20:46 keys >> -rw-r--r--. 1 root root 548 Jul 18 20:46 openssl.conf >> drwxr-x---. 2 ovirt ovirt 19 Jul 18 20:46 private >> drwxr-xr-x. 2 ovirt ovirt 4096 Jul 18 20:46 requests >> -rw-r--r--. 1 ovirt ovirt5 Jul 8 11:42 serial.txt >> -rw-r--r--. 1 ovirt ovirt5 Jul 8 11:42 serial.txt.old >> >>> >>> >>> 2016-07-19 19:08 GMT+02:00 Juan Hernández : On 07/19/2016 06:16 PM, Matt . wrote: > Can anyone confirm what max. number of subdomains can be used for a > certificate ? > > The length of 65 per subdomain should be default. > > 2016-07-19 15:06 GMT+02:00 Matt . : >> It's the fqdn indeed, not it's hostname. >> >> Fqdn should be possible I thought as discussed before in the channel >> (while ago). >> >> 2016-07-19 15:04 GMT+02:00 Yaniv Kaul : >>> >>> On Tue, Jul 19, 2016 at 3:43 PM, Matt . wrote: kvm-01.hosts.services-01.clusters.mycluster-01.dc.ovirt.subdomain.dc-01.dc.my.network >>> >>> >>> Is this the name of the host? perhaps it's a bit too long? >>> Y. Not sure if this is relevant, but I had the same problem today, and the cause was that the /etc/pki/ovirt-engine/serial.txt file was empty, and openssl refused to open it. I wrote manually a number inside, taking the value from /etc/pki/ovirt-engine/serial.txt.old (plus one), and then things started to work. -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. >> >> >> -- >> Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta >> 3ºD, 28016 Madrid, Spain >> Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Cannot install new host on 4.0, Certificate enrollment failed
Hi, I found out yesterday late I was looking in the certs folder for the serial, this was the issue all files are there. I need to test a shorter fqdn, which is a pity, but I wonder why it should be too long for a cert create. 2016-07-20 10:14 GMT+02:00 Juan Hernández : > On 07/19/2016 07:59 PM, Matt . wrote: >> Hi, >> >> Thanks for the heads up, I saw this in some thread too and this file >> was available here with the upcoming number. >> >> Which rightsdo the file has? >> >> I don't have a ca.pem in that cert folder anymore can that be an issue? >> > > In theory the ca.pem isn't needed to sign certificates, but the fact > that it isn't in that directory probably means that something has been > incorrectly manipulated, either manually or by the system itself. These > are the files/permissions from a working environment: > > lrwxrwxrwx. 1 root root28 Jul 8 11:34 apache-ca.pem -> > /etc/pki/ovirt-engine/ca.pem > -rw-r--r--. 1 root root 384 Jul 8 11:34 cacert.conf > -rw-r--r--. 1 root root 384 Jul 8 11:34 cacert.template > -rw-r--r--. 1 root root 384 Jul 18 20:46 cacert.template.in > -rw-r--r--. 1 root root 4587 Jul 8 11:34 ca.pem > -rw-r--r--. 1 root root 923 Jul 8 11:34 cert.conf > drwxr-xr-x. 2 ovirt ovirt 4096 Jul 18 20:46 certs > -rw-r--r--. 1 root root 923 Jul 8 11:34 cert.template > -rw-r--r--. 1 root root 717 Jul 18 20:46 cert.template.in > -rw-r--r--. 1 ovirt ovirt 667 Jul 8 11:42 database.txt > -rw-r--r--. 1 ovirt ovirt 20 Jul 8 11:42 database.txt.attr > -rw-r--r--. 1 ovirt ovirt 20 Jul 8 11:42 database.txt.attr.old > -rw-r--r--. 1 ovirt ovirt 599 Jul 8 11:42 database.txt.old > drwxr-xr-x. 2 root root 4096 Jul 18 20:46 keys > -rw-r--r--. 1 root root 548 Jul 18 20:46 openssl.conf > drwxr-x---. 2 ovirt ovirt 19 Jul 18 20:46 private > drwxr-xr-x. 2 ovirt ovirt 4096 Jul 18 20:46 requests > -rw-r--r--. 1 ovirt ovirt5 Jul 8 11:42 serial.txt > -rw-r--r--. 1 ovirt ovirt5 Jul 8 11:42 serial.txt.old > >> >> >> 2016-07-19 19:08 GMT+02:00 Juan Hernández : >>> On 07/19/2016 06:16 PM, Matt . wrote: Can anyone confirm what max. number of subdomains can be used for a certificate ? The length of 65 per subdomain should be default. 2016-07-19 15:06 GMT+02:00 Matt . : > It's the fqdn indeed, not it's hostname. > > Fqdn should be possible I thought as discussed before in the channel > (while ago). > > 2016-07-19 15:04 GMT+02:00 Yaniv Kaul : >> >> On Tue, Jul 19, 2016 at 3:43 PM, Matt . wrote: >>> >>> >>> kvm-01.hosts.services-01.clusters.mycluster-01.dc.ovirt.subdomain.dc-01.dc.my.network >> >> >> Is this the name of the host? perhaps it's a bit too long? >> Y. >>> >>> Not sure if this is relevant, but I had the same problem today, and the >>> cause was that the /etc/pki/ovirt-engine/serial.txt file was empty, and >>> openssl refused to open it. I wrote manually a number inside, taking the >>> value from /etc/pki/ovirt-engine/serial.txt.old (plus one), and then >>> things started to work. >>> >>> -- >>> Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta >>> 3ºD, 28016 Madrid, Spain >>> Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. > > > -- > Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta > 3ºD, 28016 Madrid, Spain > Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Cannot install new host on 4.0, Certificate enrollment failed
On 07/19/2016 07:59 PM, Matt . wrote: > Hi, > > Thanks for the heads up, I saw this in some thread too and this file > was available here with the upcoming number. > > Which rightsdo the file has? > > I don't have a ca.pem in that cert folder anymore can that be an issue? > In theory the ca.pem isn't needed to sign certificates, but the fact that it isn't in that directory probably means that something has been incorrectly manipulated, either manually or by the system itself. These are the files/permissions from a working environment: lrwxrwxrwx. 1 root root28 Jul 8 11:34 apache-ca.pem -> /etc/pki/ovirt-engine/ca.pem -rw-r--r--. 1 root root 384 Jul 8 11:34 cacert.conf -rw-r--r--. 1 root root 384 Jul 8 11:34 cacert.template -rw-r--r--. 1 root root 384 Jul 18 20:46 cacert.template.in -rw-r--r--. 1 root root 4587 Jul 8 11:34 ca.pem -rw-r--r--. 1 root root 923 Jul 8 11:34 cert.conf drwxr-xr-x. 2 ovirt ovirt 4096 Jul 18 20:46 certs -rw-r--r--. 1 root root 923 Jul 8 11:34 cert.template -rw-r--r--. 1 root root 717 Jul 18 20:46 cert.template.in -rw-r--r--. 1 ovirt ovirt 667 Jul 8 11:42 database.txt -rw-r--r--. 1 ovirt ovirt 20 Jul 8 11:42 database.txt.attr -rw-r--r--. 1 ovirt ovirt 20 Jul 8 11:42 database.txt.attr.old -rw-r--r--. 1 ovirt ovirt 599 Jul 8 11:42 database.txt.old drwxr-xr-x. 2 root root 4096 Jul 18 20:46 keys -rw-r--r--. 1 root root 548 Jul 18 20:46 openssl.conf drwxr-x---. 2 ovirt ovirt 19 Jul 18 20:46 private drwxr-xr-x. 2 ovirt ovirt 4096 Jul 18 20:46 requests -rw-r--r--. 1 ovirt ovirt5 Jul 8 11:42 serial.txt -rw-r--r--. 1 ovirt ovirt5 Jul 8 11:42 serial.txt.old > > > 2016-07-19 19:08 GMT+02:00 Juan Hernández : >> On 07/19/2016 06:16 PM, Matt . wrote: >>> Can anyone confirm what max. number of subdomains can be used for a >>> certificate ? >>> >>> The length of 65 per subdomain should be default. >>> >>> 2016-07-19 15:06 GMT+02:00 Matt . : It's the fqdn indeed, not it's hostname. Fqdn should be possible I thought as discussed before in the channel (while ago). 2016-07-19 15:04 GMT+02:00 Yaniv Kaul : > > On Tue, Jul 19, 2016 at 3:43 PM, Matt . wrote: >> >> >> kvm-01.hosts.services-01.clusters.mycluster-01.dc.ovirt.subdomain.dc-01.dc.my.network > > > Is this the name of the host? perhaps it's a bit too long? > Y. >> >> Not sure if this is relevant, but I had the same problem today, and the >> cause was that the /etc/pki/ovirt-engine/serial.txt file was empty, and >> openssl refused to open it. I wrote manually a number inside, taking the >> value from /etc/pki/ovirt-engine/serial.txt.old (plus one), and then >> things started to work. >> >> -- >> Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta >> 3ºD, 28016 Madrid, Spain >> Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Cannot install new host on 4.0, Certificate enrollment failed
Hi, Thanks for the heads up, I saw this in some thread too and this file was available here with the upcoming number. Which rightsdo the file has? I don't have a ca.pem in that cert folder anymore can that be an issue? 2016-07-19 19:08 GMT+02:00 Juan Hernández : > On 07/19/2016 06:16 PM, Matt . wrote: >> Can anyone confirm what max. number of subdomains can be used for a >> certificate ? >> >> The length of 65 per subdomain should be default. >> >> 2016-07-19 15:06 GMT+02:00 Matt . : >>> It's the fqdn indeed, not it's hostname. >>> >>> Fqdn should be possible I thought as discussed before in the channel >>> (while ago). >>> >>> 2016-07-19 15:04 GMT+02:00 Yaniv Kaul : On Tue, Jul 19, 2016 at 3:43 PM, Matt . wrote: > > > kvm-01.hosts.services-01.clusters.mycluster-01.dc.ovirt.subdomain.dc-01.dc.my.network Is this the name of the host? perhaps it's a bit too long? Y. > > Not sure if this is relevant, but I had the same problem today, and the > cause was that the /etc/pki/ovirt-engine/serial.txt file was empty, and > openssl refused to open it. I wrote manually a number inside, taking the > value from /etc/pki/ovirt-engine/serial.txt.old (plus one), and then > things started to work. > > -- > Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta > 3ºD, 28016 Madrid, Spain > Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Cannot install new host on 4.0, Certificate enrollment failed
On 07/19/2016 06:16 PM, Matt . wrote: > Can anyone confirm what max. number of subdomains can be used for a > certificate ? > > The length of 65 per subdomain should be default. > > 2016-07-19 15:06 GMT+02:00 Matt . : >> It's the fqdn indeed, not it's hostname. >> >> Fqdn should be possible I thought as discussed before in the channel >> (while ago). >> >> 2016-07-19 15:04 GMT+02:00 Yaniv Kaul : >>> >>> On Tue, Jul 19, 2016 at 3:43 PM, Matt . wrote: kvm-01.hosts.services-01.clusters.mycluster-01.dc.ovirt.subdomain.dc-01.dc.my.network >>> >>> >>> Is this the name of the host? perhaps it's a bit too long? >>> Y. Not sure if this is relevant, but I had the same problem today, and the cause was that the /etc/pki/ovirt-engine/serial.txt file was empty, and openssl refused to open it. I wrote manually a number inside, taking the value from /etc/pki/ovirt-engine/serial.txt.old (plus one), and then things started to work. -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Cannot install new host on 4.0, Certificate enrollment failed
Can anyone confirm what max. number of subdomains can be used for a certificate ? The length of 65 per subdomain should be default. 2016-07-19 15:06 GMT+02:00 Matt . : > It's the fqdn indeed, not it's hostname. > > Fqdn should be possible I thought as discussed before in the channel > (while ago). > > 2016-07-19 15:04 GMT+02:00 Yaniv Kaul : >> >> On Tue, Jul 19, 2016 at 3:43 PM, Matt . wrote: >>> >>> >>> kvm-01.hosts.services-01.clusters.mycluster-01.dc.ovirt.subdomain.dc-01.dc.my.network >> >> >> Is this the name of the host? perhaps it's a bit too long? >> Y. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Cannot install new host on 4.0, Certificate enrollment failed
It's the fqdn indeed, not it's hostname. Fqdn should be possible I thought as discussed before in the channel (while ago). 2016-07-19 15:04 GMT+02:00 Yaniv Kaul : > > On Tue, Jul 19, 2016 at 3:43 PM, Matt . wrote: >> >> >> kvm-01.hosts.services-01.clusters.mycluster-01.dc.ovirt.subdomain.dc-01.dc.my.network > > > Is this the name of the host? perhaps it's a bit too long? > Y. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users