[ovirt-users] Re: Changing certificates for oVirt 4.3.5
On 9/26/2019 6:44 AM, TomK wrote:
On 9/26/2019 3:58 AM, Yedidyah Bar David wrote:
On Thu, Sep 26, 2019 at 3:19 AM TomK wrote:
Hey All,
Would anyone have a more recent wiki on changing all certificates,
including VDSM ones?
Have this page but it's for version 3.
https://access.redhat.com/solutions/2409751
I wasn't aware of this page. It's quite old, but mostly correct.
However, if you do not mind host downtime, it's much easier to re-enroll
certificates for all hosts, instead of the manual steps mentioned there
(that are quite old, perhaps not up-to-date).
Thinking the process didn't change much but wanted to ask if there's
anything more recent floating around.
I am not aware of anything specifically doing what you want.
Related pages you might want to check:
1. Section "Replacing SHA-1 Certificates with SHA-256 Certificates" of:
https://www.ovirt.org/documentation/upgrade-guide/chap-Post-Upgrade_Tasks.html
2. Only now I noticed that it does not mention the option --san for
setting SubjectAltName. It does appear here:
https://www.ovirt.org/documentation/admin-guide/chap-Utilities.html
See also:
https://www.ovirt.org/develop/release-management/features/infra/pki-renew.html
So I guess (didn't try recently) that if you follow the existing
procedures
and generate pki without --san, a later engine-setup will prompt you
to renew.
Best regards,
Thought I ran that though I probably didn't select the renew all option.
However, it did not renew the VDSM one:
[root@ovirt01 ovirt-engine]# engine-setup
[ INFO ] Stage: Initializing
[ INFO ] Stage: Environment setup
Configuration files:
['/etc/ovirt-engine-setup.conf.d/10-packaging-jboss.conf',
'/etc/ovirt-engine-setup.conf.d/10-packaging.conf',
'/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf']
Log file:
/var/log/ovirt-engine/setup/ovirt-engine-setup-20190926062007-ysyb9p.log
Version: otopi-1.8.3 (otopi-1.8.3-1.el7)
[ INFO ] Stage: Environment packages setup
[ INFO ] Stage: Programs detection
[ INFO ] Stage: Environment setup (late)
[ INFO ] Stage: Environment customization
--== PRODUCT OPTIONS ==--
[ INFO ] ovirt-provider-ovn already installed, skipping.
--== PACKAGES ==--
[ INFO ] Checking for product updates...
val ub = 100
var totalEven = 0
var totalOdd = 0
while(lb <= ub) {
if(lb % 2 == 0) totalEven += lb else totalOdd += lb
lb += 1
}
[ INFO ] No product updates found
--== NETWORK CONFIGURATION ==--
Setup can automatically configure the firewall on this system.
Note: automatic configuration of the firewall may overwrite
current settings.
NOTICE: iptables is deprecated and will be removed in future
releases
Do you want Setup to configure the firewall? (Yes, No) [Yes]:
[ ERROR ] Invalid value
Do you want Setup to configure the firewall? (Yes, No) [Yes]:
[ ERROR ] Invalid value
Do you want Setup to configure the firewall? (Yes, No) [Yes]:
[ ERROR ] Invalid value
Do you want Setup to configure the firewall? (Yes, No) [Yes]:
[ ERROR ] Invalid value
Do you want Setup to configure the firewall? (Yes, No) [Yes]:
[ ERROR ] Invalid value
Do you want Setup to configure the firewall? (Yes, No) [Yes]:
[ ERROR ] Invalid value
Do you want Setup to configure the firewall? (Yes, No) [Yes]:
[ ERROR ] Invalid value
Do you want Setup to configure the firewall? (Yes, No) [Yes]:
[ INFO ] firewalld will be configured as firewall manager.
--== DATABASE CONFIGURATION ==--
The detected DWH database size is 48 MB.
Setup can backup the existing database. The time and space
required for the database backup depend on its size. This process takes
time, and in some cases (for instance, when the size is few GBs) may
take several hours to complete.
If you choose to not back up the database, and Setup later
fails for some reason, it will not be able to restore the database and
all DWH data will be lost.
Would you like to backup the existing database before
upgrading it? (Yes, No) [Yes]:
Perform full vacuum on the oVirt engine history
database ovirt_engine_history@localhost?
This operation may take a while depending on this setup
health and the
configuration of the db vacuum process.
See https://www.postgresql.org/docs/10/sql-vacuum.html
(Yes, No) [No]:
--== OVIRT ENGINE CONFIGURATION ==--
Perform full vacuum on the engine database engine@localhost?
This operation may take a while depending on this setup
health and the
configuration of the db vacuum process.
See https://www.postgresql.org/docs/10/sql-vacuum.html
(Yes, No) [No]:
--== STORAGE CONFIGURATION ==--
--== PKI CONFIGURATION ==--
One or
[ovirt-users] Re: Changing certificates for oVirt 4.3.5
On 9/26/2019 3:58 AM, Yedidyah Bar David wrote:
On Thu, Sep 26, 2019 at 3:19 AM TomK wrote:
Hey All,
Would anyone have a more recent wiki on changing all certificates,
including VDSM ones?
Have this page but it's for version 3.
https://access.redhat.com/solutions/2409751
I wasn't aware of this page. It's quite old, but mostly correct.
However, if you do not mind host downtime, it's much easier to re-enroll
certificates for all hosts, instead of the manual steps mentioned there
(that are quite old, perhaps not up-to-date).
Thinking the process didn't change much but wanted to ask if there's
anything more recent floating around.
I am not aware of anything specifically doing what you want.
Related pages you might want to check:
1. Section "Replacing SHA-1 Certificates with SHA-256 Certificates" of:
https://www.ovirt.org/documentation/upgrade-guide/chap-Post-Upgrade_Tasks.html
2. Only now I noticed that it does not mention the option --san for
setting SubjectAltName. It does appear here:
https://www.ovirt.org/documentation/admin-guide/chap-Utilities.html
See also:
https://www.ovirt.org/develop/release-management/features/infra/pki-renew.html
So I guess (didn't try recently) that if you follow the existing procedures
and generate pki without --san, a later engine-setup will prompt you to renew.
Best regards,
Thought I ran that though I probably didn't select the renew all option.
However, it did not renew the VDSM one:
[root@ovirt01 ovirt-engine]# engine-setup
[ INFO ] Stage: Initializing
[ INFO ] Stage: Environment setup
Configuration files:
['/etc/ovirt-engine-setup.conf.d/10-packaging-jboss.conf',
'/etc/ovirt-engine-setup.conf.d/10-packaging.conf',
'/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf']
Log file:
/var/log/ovirt-engine/setup/ovirt-engine-setup-20190926062007-ysyb9p.log
Version: otopi-1.8.3 (otopi-1.8.3-1.el7)
[ INFO ] Stage: Environment packages setup
[ INFO ] Stage: Programs detection
[ INFO ] Stage: Environment setup (late)
[ INFO ] Stage: Environment customization
--== PRODUCT OPTIONS ==--
[ INFO ] ovirt-provider-ovn already installed, skipping.
--== PACKAGES ==--
[ INFO ] Checking for product updates...
val ub = 100
var totalEven = 0
var totalOdd = 0
while(lb <= ub) {
if(lb % 2 == 0) totalEven += lb else totalOdd += lb
lb += 1
}
[ INFO ] No product updates found
--== NETWORK CONFIGURATION ==--
Setup can automatically configure the firewall on this system.
Note: automatic configuration of the firewall may overwrite
current settings.
NOTICE: iptables is deprecated and will be removed in future
releases
Do you want Setup to configure the firewall? (Yes, No) [Yes]:
[ ERROR ] Invalid value
Do you want Setup to configure the firewall? (Yes, No) [Yes]:
[ ERROR ] Invalid value
Do you want Setup to configure the firewall? (Yes, No) [Yes]:
[ ERROR ] Invalid value
Do you want Setup to configure the firewall? (Yes, No) [Yes]:
[ ERROR ] Invalid value
Do you want Setup to configure the firewall? (Yes, No) [Yes]:
[ ERROR ] Invalid value
Do you want Setup to configure the firewall? (Yes, No) [Yes]:
[ ERROR ] Invalid value
Do you want Setup to configure the firewall? (Yes, No) [Yes]:
[ ERROR ] Invalid value
Do you want Setup to configure the firewall? (Yes, No) [Yes]:
[ INFO ] firewalld will be configured as firewall manager.
--== DATABASE CONFIGURATION ==--
The detected DWH database size is 48 MB.
Setup can backup the existing database. The time and space
required for the database backup depend on its size. This process takes
time, and in some cases (for instance, when the size is few GBs) may
take several hours to complete.
If you choose to not back up the database, and Setup later
fails for some reason, it will not be able to restore the database and
all DWH data will be lost.
Would you like to backup the existing database before
upgrading it? (Yes, No) [Yes]:
Perform full vacuum on the oVirt engine history
database ovirt_engine_history@localhost?
This operation may take a while depending on this setup
health and the
configuration of the db vacuum process.
See https://www.postgresql.org/docs/10/sql-vacuum.html
(Yes, No) [No]:
--== OVIRT ENGINE CONFIGURATION ==--
Perform full vacuum on the engine database engine@localhost?
This operation may take a while depending on this setup
health and the
configuration of the db vacuum process.
See https://www.postgresql.org/docs/10/sql-vacuum.html
(Yes, No) [No]:
--== STORAGE CONFIGURATION ==--
--== PKI CONFIGURATION ==--
One or more of the certificates should be renewed, because
they expire soon, or include an
[ovirt-users] Re: Changing certificates for oVirt 4.3.5
On Thu, Sep 26, 2019 at 3:19 AM TomK wrote: > > Hey All, > > Would anyone have a more recent wiki on changing all certificates, > including VDSM ones? > > Have this page but it's for version 3. > > https://access.redhat.com/solutions/2409751 I wasn't aware of this page. It's quite old, but mostly correct. However, if you do not mind host downtime, it's much easier to re-enroll certificates for all hosts, instead of the manual steps mentioned there (that are quite old, perhaps not up-to-date). > > Thinking the process didn't change much but wanted to ask if there's > anything more recent floating around. I am not aware of anything specifically doing what you want. Related pages you might want to check: 1. Section "Replacing SHA-1 Certificates with SHA-256 Certificates" of: https://www.ovirt.org/documentation/upgrade-guide/chap-Post-Upgrade_Tasks.html 2. Only now I noticed that it does not mention the option --san for setting SubjectAltName. It does appear here: https://www.ovirt.org/documentation/admin-guide/chap-Utilities.html See also: https://www.ovirt.org/develop/release-management/features/infra/pki-renew.html So I guess (didn't try recently) that if you follow the existing procedures and generate pki without --san, a later engine-setup will prompt you to renew. Best regards, -- Didi ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/WLMTBSK2XQNKWVLZZVPBM6PAZWUBVKRA/
