[ovirt-users] Re: Changing certificates for oVirt 4.3.5
On 9/26/2019 6:44 AM, TomK wrote: On 9/26/2019 3:58 AM, Yedidyah Bar David wrote: On Thu, Sep 26, 2019 at 3:19 AM TomK wrote: Hey All, Would anyone have a more recent wiki on changing all certificates, including VDSM ones? Have this page but it's for version 3. https://access.redhat.com/solutions/2409751 I wasn't aware of this page. It's quite old, but mostly correct. However, if you do not mind host downtime, it's much easier to re-enroll certificates for all hosts, instead of the manual steps mentioned there (that are quite old, perhaps not up-to-date). Thinking the process didn't change much but wanted to ask if there's anything more recent floating around. I am not aware of anything specifically doing what you want. Related pages you might want to check: 1. Section "Replacing SHA-1 Certificates with SHA-256 Certificates" of: https://www.ovirt.org/documentation/upgrade-guide/chap-Post-Upgrade_Tasks.html 2. Only now I noticed that it does not mention the option --san for setting SubjectAltName. It does appear here: https://www.ovirt.org/documentation/admin-guide/chap-Utilities.html See also: https://www.ovirt.org/develop/release-management/features/infra/pki-renew.html So I guess (didn't try recently) that if you follow the existing procedures and generate pki without --san, a later engine-setup will prompt you to renew. Best regards, Thought I ran that though I probably didn't select the renew all option. However, it did not renew the VDSM one: [root@ovirt01 ovirt-engine]# engine-setup [ INFO ] Stage: Initializing [ INFO ] Stage: Environment setup Configuration files: ['/etc/ovirt-engine-setup.conf.d/10-packaging-jboss.conf', '/etc/ovirt-engine-setup.conf.d/10-packaging.conf', '/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf'] Log file: /var/log/ovirt-engine/setup/ovirt-engine-setup-20190926062007-ysyb9p.log Version: otopi-1.8.3 (otopi-1.8.3-1.el7) [ INFO ] Stage: Environment packages setup [ INFO ] Stage: Programs detection [ INFO ] Stage: Environment setup (late) [ INFO ] Stage: Environment customization --== PRODUCT OPTIONS ==-- [ INFO ] ovirt-provider-ovn already installed, skipping. --== PACKAGES ==-- [ INFO ] Checking for product updates... val ub = 100 var totalEven = 0 var totalOdd = 0 while(lb <= ub) { if(lb % 2 == 0) totalEven += lb else totalOdd += lb lb += 1 } [ INFO ] No product updates found --== NETWORK CONFIGURATION ==-- Setup can automatically configure the firewall on this system. Note: automatic configuration of the firewall may overwrite current settings. NOTICE: iptables is deprecated and will be removed in future releases Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ INFO ] firewalld will be configured as firewall manager. --== DATABASE CONFIGURATION ==-- The detected DWH database size is 48 MB. Setup can backup the existing database. The time and space required for the database backup depend on its size. This process takes time, and in some cases (for instance, when the size is few GBs) may take several hours to complete. If you choose to not back up the database, and Setup later fails for some reason, it will not be able to restore the database and all DWH data will be lost. Would you like to backup the existing database before upgrading it? (Yes, No) [Yes]: Perform full vacuum on the oVirt engine history database ovirt_engine_history@localhost? This operation may take a while depending on this setup health and the configuration of the db vacuum process. See https://www.postgresql.org/docs/10/sql-vacuum.html (Yes, No) [No]: --== OVIRT ENGINE CONFIGURATION ==-- Perform full vacuum on the engine database engine@localhost? This operation may take a while depending on this setup health and the configuration of the db vacuum process. See https://www.postgresql.org/docs/10/sql-vacuum.html (Yes, No) [No]: --== STORAGE CONFIGURATION ==-- --== PKI CONFIGURATION ==-- One or
[ovirt-users] Re: Changing certificates for oVirt 4.3.5
On 9/26/2019 3:58 AM, Yedidyah Bar David wrote: On Thu, Sep 26, 2019 at 3:19 AM TomK wrote: Hey All, Would anyone have a more recent wiki on changing all certificates, including VDSM ones? Have this page but it's for version 3. https://access.redhat.com/solutions/2409751 I wasn't aware of this page. It's quite old, but mostly correct. However, if you do not mind host downtime, it's much easier to re-enroll certificates for all hosts, instead of the manual steps mentioned there (that are quite old, perhaps not up-to-date). Thinking the process didn't change much but wanted to ask if there's anything more recent floating around. I am not aware of anything specifically doing what you want. Related pages you might want to check: 1. Section "Replacing SHA-1 Certificates with SHA-256 Certificates" of: https://www.ovirt.org/documentation/upgrade-guide/chap-Post-Upgrade_Tasks.html 2. Only now I noticed that it does not mention the option --san for setting SubjectAltName. It does appear here: https://www.ovirt.org/documentation/admin-guide/chap-Utilities.html See also: https://www.ovirt.org/develop/release-management/features/infra/pki-renew.html So I guess (didn't try recently) that if you follow the existing procedures and generate pki without --san, a later engine-setup will prompt you to renew. Best regards, Thought I ran that though I probably didn't select the renew all option. However, it did not renew the VDSM one: [root@ovirt01 ovirt-engine]# engine-setup [ INFO ] Stage: Initializing [ INFO ] Stage: Environment setup Configuration files: ['/etc/ovirt-engine-setup.conf.d/10-packaging-jboss.conf', '/etc/ovirt-engine-setup.conf.d/10-packaging.conf', '/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf'] Log file: /var/log/ovirt-engine/setup/ovirt-engine-setup-20190926062007-ysyb9p.log Version: otopi-1.8.3 (otopi-1.8.3-1.el7) [ INFO ] Stage: Environment packages setup [ INFO ] Stage: Programs detection [ INFO ] Stage: Environment setup (late) [ INFO ] Stage: Environment customization --== PRODUCT OPTIONS ==-- [ INFO ] ovirt-provider-ovn already installed, skipping. --== PACKAGES ==-- [ INFO ] Checking for product updates... val ub = 100 var totalEven = 0 var totalOdd = 0 while(lb <= ub) { if(lb % 2 == 0) totalEven += lb else totalOdd += lb lb += 1 } [ INFO ] No product updates found --== NETWORK CONFIGURATION ==-- Setup can automatically configure the firewall on this system. Note: automatic configuration of the firewall may overwrite current settings. NOTICE: iptables is deprecated and will be removed in future releases Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ INFO ] firewalld will be configured as firewall manager. --== DATABASE CONFIGURATION ==-- The detected DWH database size is 48 MB. Setup can backup the existing database. The time and space required for the database backup depend on its size. This process takes time, and in some cases (for instance, when the size is few GBs) may take several hours to complete. If you choose to not back up the database, and Setup later fails for some reason, it will not be able to restore the database and all DWH data will be lost. Would you like to backup the existing database before upgrading it? (Yes, No) [Yes]: Perform full vacuum on the oVirt engine history database ovirt_engine_history@localhost? This operation may take a while depending on this setup health and the configuration of the db vacuum process. See https://www.postgresql.org/docs/10/sql-vacuum.html (Yes, No) [No]: --== OVIRT ENGINE CONFIGURATION ==-- Perform full vacuum on the engine database engine@localhost? This operation may take a while depending on this setup health and the configuration of the db vacuum process. See https://www.postgresql.org/docs/10/sql-vacuum.html (Yes, No) [No]: --== STORAGE CONFIGURATION ==-- --== PKI CONFIGURATION ==-- One or more of the certificates should be renewed, because they expire soon, or include an
[ovirt-users] Re: Changing certificates for oVirt 4.3.5
On Thu, Sep 26, 2019 at 3:19 AM TomK wrote: > > Hey All, > > Would anyone have a more recent wiki on changing all certificates, > including VDSM ones? > > Have this page but it's for version 3. > > https://access.redhat.com/solutions/2409751 I wasn't aware of this page. It's quite old, but mostly correct. However, if you do not mind host downtime, it's much easier to re-enroll certificates for all hosts, instead of the manual steps mentioned there (that are quite old, perhaps not up-to-date). > > Thinking the process didn't change much but wanted to ask if there's > anything more recent floating around. I am not aware of anything specifically doing what you want. Related pages you might want to check: 1. Section "Replacing SHA-1 Certificates with SHA-256 Certificates" of: https://www.ovirt.org/documentation/upgrade-guide/chap-Post-Upgrade_Tasks.html 2. Only now I noticed that it does not mention the option --san for setting SubjectAltName. It does appear here: https://www.ovirt.org/documentation/admin-guide/chap-Utilities.html See also: https://www.ovirt.org/develop/release-management/features/infra/pki-renew.html So I guess (didn't try recently) that if you follow the existing procedures and generate pki without --san, a later engine-setup will prompt you to renew. Best regards, -- Didi ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/WLMTBSK2XQNKWVLZZVPBM6PAZWUBVKRA/