Re: [Users] ovirt-engine certs

2014-03-11 Thread Alon Bar-Lev

3.1 upgrade was never actually supported if I remember correctly, so you may 
experience other issues as well.

But you can try the following sequence:

1. Move all hosts into maintenance via webadmin.

2. Stop ovirt-engine.

3. Backup your computer and database.

4. Remove /etc/pki/ovirt-engine/ca.pem

5. Run engine-setup.

6. Set new administrator password:

# engine-config -s AdminPassword=interactive

7. Restart ovirt-engine

8. Re-install all hosts via webadmin.

- Original Message -
 From: Thomas Scofield tscofi...@gmail.com
 To: users users@ovirt.org
 Sent: Tuesday, March 11, 2014 7:13:27 AM
 Subject: [Users] ovirt-engine certs
 
 
 
 How can I regenerate the ovirt engine CA certs and corresponding vdsm certs?
 I have an ovirt setup that I’m upgrading from 3.2.0 (from the dre repos) to
 3.2.3 and I am getting the certificate errors listed below after the
 upgrade. I have done this same upgrade on an number of other ovirt-engines
 with no issue. The setup had originally been installed with ovirt 3.1 so it
 possible that some of the certificate configurations from 3.1 are still
 present on this ovirt-engine and it is contributing to the problem. For
 example, I noticed that the /etc/pki/ovirt-engine/cacert.conf file on this
 troublesome upgrade has “default_bits = rsa:1024”, but the systems that
 upgraded successfully have “default_bits = rsa:2048”. The same is true for
 the cert.conf file.
 
 
 
 Engine.log
 
 2014-03-10 17:10:28,954 ERROR
 [org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo]
 (DefaultQuartzScheduler_Worker-2) vds::refreshVdsStats Failed getVdsStats,
 vds = a7459d21-b5a6-4330-9897-f2018c9a1776 : vm1, error =
 VDSNetworkException: javax.net.ssl.SSLHandshakeException: Received fatal
 alert: bad_certificate
 
 
 
 Vdsm.log
 
 BindingXMLRPC::ERROR::2014-03-10
 20:58:00,871::SecureXMLRPCServer::97::root::(verify) invalid client
 certificate with subject /C=US/O=
 example.com/CN=CA-ovirt1.example.com.30758 
 
 BindingXMLRPC::ERROR::2014-03-10
 20:58:00,872::BindingXMLRPC::72::vds::(threaded_start) xml-rpc handler
 exception
 
 Traceback (most recent call last):
 
 File /usr/share/vdsm/BindingXMLRPC.py, line 68, in threaded_start
 
 self.server.handle_request()
 
 File /usr/lib64/python2.6/SocketServer.py, line 268, in handle_request
 
 self._handle_request_noblock()
 
 File /usr/lib64/python2.6/SocketServer.py, line 278, in
 _handle_request_noblock
 
 request, client_address = self.get_request()
 
 File /usr/lib64/python2.6/SocketServer.py, line 446, in get_request
 
 return self.socket.accept()
 
 File /usr/lib64/python2.6/site-packages/vdsm/SecureXMLRPCServer.py, line
 116, in accept
 
 client, address = self.connection.accept()
 
 File /usr/lib64/python2.6/site-packages/M2Crypto/SSL/Connection.py, line
 167, in accept
 
 ssl.accept_ssl()
 
 File /usr/lib64/python2.6/site-packages/M2Crypto/SSL/Connection.py, line
 156, in accept_ssl
 
 return m2.ssl_accept(self.ssl, self._timeout)
 
 SSLError: no certificate returned
 
 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users
 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[Users] ovirt-engine certs

2014-03-10 Thread Thomas Scofield
How can I regenerate the ovirt engine CA certs and corresponding vdsm
certs?  I have an ovirt setup that I'm upgrading from 3.2.0 (from the dre
repos) to 3.2.3 and I am getting the certificate errors listed below after
the upgrade.  I have done this same upgrade on an number of other
ovirt-engines with no issue.  The setup had originally been installed with
ovirt 3.1 so it possible that some of the certificate configurations from
3.1 are still present on this ovirt-engine and it is contributing to the
problem.  For example, I noticed that the /etc/pki/ovirt-engine/cacert.conf
file on this troublesome upgrade has default_bits = rsa:1024, but the
systems that upgraded successfully have default_bits = rsa:2048.  The
same is true for the cert.conf file.



Engine.log

2014-03-10 17:10:28,954 ERROR
[org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo]
(DefaultQuartzScheduler_Worker-2) vds::refreshVdsStats Failed getVdsStats,
vds = a7459d21-b5a6-4330-9897-f2018c9a1776 : vm1, error =
VDSNetworkException: javax.net.ssl.SSLHandshakeException: Received fatal
alert: bad_certificate



Vdsm.log

BindingXMLRPC::ERROR::2014-03-10
20:58:00,871::SecureXMLRPCServer::97::root::(verify) invalid client
certificate with subject /C=US/O=example.com/CN=CA-ovirt1.example.com.30758


BindingXMLRPC::ERROR::2014-03-10
20:58:00,872::BindingXMLRPC::72::vds::(threaded_start) xml-rpc handler
exception

Traceback (most recent call last):

  File /usr/share/vdsm/BindingXMLRPC.py, line 68, in threaded_start

self.server.handle_request()

  File /usr/lib64/python2.6/SocketServer.py, line 268, in handle_request

self._handle_request_noblock()

  File /usr/lib64/python2.6/SocketServer.py, line 278, in
_handle_request_noblock

request, client_address = self.get_request()

  File /usr/lib64/python2.6/SocketServer.py, line 446, in get_request

return self.socket.accept()

  File /usr/lib64/python2.6/site-packages/vdsm/SecureXMLRPCServer.py,
line 116, in accept

client, address = self.connection.accept()

  File /usr/lib64/python2.6/site-packages/M2Crypto/SSL/Connection.py,
line 167, in accept

ssl.accept_ssl()

  File /usr/lib64/python2.6/site-packages/M2Crypto/SSL/Connection.py,
line 156, in accept_ssl

return m2.ssl_accept(self.ssl, self._timeout)

SSLError: no certificate returned
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users