[ovirt-users] Re: How-to get oVirt host certificated date

2022-01-14 Thread Konstantin Shalygin
Sandro, the main is - "admin enroll new cert, but engine spam to log that cert 
will be expire"

Check host cert via Martin snippet, the cert is deployed at Jan 10 2022

[root@control1 ovirt-engine]# openssl s_client -showcerts -connect 
192.168.101.16:54321 | openssl x509 -text -noout | grep -A2 Validity
Can't use SSL_get_servername
depth=1 C = US, O = opentech.local, CN = control1.opentech.local.54279
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 C = US, O = opentech.local, CN = control1.opentech.local.54279
verify return:1
depth=0 O = opentech.local, CN = 192.168.101.16
verify return:1
140358921414464:error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert 
certificate required:ssl/record/rec_layer_s3.c:1543:SSL alert number 116
Validity
Not Before: Jan 10 16:57:10 2022 GMT
Not After : Feb 13 16:57:10 2023 GMT


But engine "don't see this changes" at 12 Jan, 13 Jan

[root@control1 ovirt-engine]# gunzip -c *\.gz | ack 'certification is about to 
expire' | grep ovirt-host6 | awk '{print $1 " " $2 " "  $10}'
2022-01-11 20:57:33,890+07 ovirt-host6.opentech.local
2022-01-12 20:57:33,925+07 ovirt-host6.opentech.local
2022-01-13 20:57:33,958+07 ovirt-host6.opentech.local


Yesterday I was restarted ovirt-engine, now this alerts are gone
The certificate enrolling routine should be documented

Thanks,
k

> On 14 Jan 2022, at 11:48, Sandro Bonazzola  wrote:
> 
> Martin, is this something which can fit in oVirt administration documentation?
> Konstantin, what's the purpose of getting the certificate's dates?

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/TWKYIZK3VHKHZKAVG4PL7KVGHNV47AHN/


[ovirt-users] Re: How-to get oVirt host certificated date

2022-01-14 Thread Konstantin Shalygin
Thanks Martin!!!

> On 14 Jan 2022, at 11:45, Martin Perina  wrote:
> 
> Hi,
> 
> host certificates are not saved anywhere in the engine database, you need to 
> go to the host itself to find out the expiration date. There are 2 options: 
> 
> 1. Directly on the host after connecting via SSH you can run below
> # openssl x509 -text -noout -in /etc/pki/vdsm/certs/vdsmcert.pem | grep 
> -A2 Validity
> 
> 2. Remotely using openssl you can run below
> # openssl s_client -showcerts -connect :54321 | openssl x509 
> -text -noout | grep -A2 Validity
> 
> 
> ovirt-engine performs certificate checks every day (can be configured using 
> engine-config option CertificationValidityCheckTimeInHours) and it checks not 
> only hosts certificates, but also the engine certificate and the engine CA 
> certificate. This check produces following records in ovirt-engine audit log:
> 
> 1. If the certificate has already expired then below audit log ALERT is 
> created depending on the type of certificate
> - Host ${VdsName} certification has expired at ${ExpirationDate}. Please 
> renew the host's certification.
> - Engine's certification has expired at ${ExpirationDate}. Please renew 
> the engine's certification.
> - Engine's CA certification has expired at ${ExpirationDate}.
> 
> 2. If the certificate is going to expire in less than 7 days, then below 
> audit log ALERT is created depending on the type of certificate
> - Host ${VdsName} certification is about to expire at ${ExpirationDate}. 
> Please renew the host's certification.
> - Engine's certification is about to expire at ${ExpirationDate}. Please 
> renew the engine's certification.
> - Engine's CA certification is about to expire at ${ExpirationDate}.
> 
> 3. If the certificate is going to expire in less than 30 days, then below 
> audit log WARNING is created depending on the type of certificate
> - Host ${VdsName} certification is about to expire at ${ExpirationDate}. 
> Please renew the host's certification.
> - Engine's certification is about to expire at ${ExpirationDate}. Please 
> renew the engine's certification.
> - Engine's CA certification is about to expire at ${ExpirationDate}.
> 


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/GJETF6RUBHZEZWVTX6DZWHXN6BCFDRSQ/


[ovirt-users] Re: How-to get oVirt host certificated date

2022-01-14 Thread Sandro Bonazzola
Il giorno ven 14 gen 2022 alle ore 09:45 Martin Perina 
ha scritto:

>
>
> On Thu, Jan 13, 2022 at 4:53 PM Sandro Bonazzola 
> wrote:
>
>>
>>
>> Il giorno gio 13 gen 2022 alle ore 15:34 Konstantin Shalygin <
>> k0...@k0ste.ru> ha scritto:
>>
>>> > It's possible to get, may be from Postgres, the host certificate date?
>>> > Engine run this check sometimes, but trigger this check seems
>>> impossible
>>>
>>> Anybody?
>>> @Sandro please help
>>>
>>> engine make check once per day and print to logs
>>> How can we run a manual check or see info in PostgreSQL database? This
>>> is required because the days until the end of the certificate's life
>>> expire, waiting for the next day in order to understand the result of
>>> deploying a new certificate is a strange situation
>>>
>>
>> Maybe @Martin Perina  can assist?
>>
>> Hi,
>
> host certificates are not saved anywhere in the engine database, you need
> to go to the host itself to find out the expiration date. There are 2
> options:
>
> 1. Directly on the host after connecting via SSH you can run below
> # openssl x509 -text -noout -in /etc/pki/vdsm/certs/vdsmcert.pem |
> grep -A2 Validity
>
> 2. Remotely using openssl you can run below
> # openssl s_client -showcerts -connect :54321 | openssl
> x509 -text -noout | grep -A2 Validity
>
>
> ovirt-engine performs certificate checks every day (can be configured
> using engine-config option CertificationValidityCheckTimeInHours) and it
> checks not only hosts certificates, but also the engine certificate and the
> engine CA certificate. This check produces following records in
> ovirt-engine audit log:
>
> 1. If the certificate has already expired then below audit log ALERT is
> created depending on the type of certificate
> - *Host ${VdsName} certification has expired at ${ExpirationDate}.
> Please renew the host's certification.*
> - *Engine's certification has expired at ${ExpirationDate}. Please
> renew the engine's certification.*
> - *Engine's CA certification has expired at ${ExpirationDate}.*
>
> 2. If the certificate is going to expire in less than 7 days, then below
> audit log ALERT is created depending on the type of certificate
> - *Host ${VdsName} certification is about to expire at
> ${ExpirationDate}. Please renew the host's certification.*
> - *Engine's certification is about to expire at ${ExpirationDate}.
> Please renew the engine's certification.*
> - *Engine's CA certification is about to expire at ${ExpirationDate}.*
>
> 3. If the certificate is going to expire in less than 30 days, then below
> audit log WARNING is created depending on the type of certificate
> - *Host ${VdsName} certification is about to expire at
> ${ExpirationDate}. Please renew the host's certification.*
> - *Engine's certification is about to expire at ${ExpirationDate}.
> Please renew the engine's certification.*
> - *Engine's CA certification is about to expire at ${ExpirationDate}.*
>
> Regards,
> Martin
>

Martin, is this something which can fit in oVirt administration
documentation?
Konstantin, what's the purpose of getting the certificate's dates?


>
>
>>
>>>
>>>
>>> Thanks,
>>> k
>>> ___
>>> Users mailing list -- users@ovirt.org
>>> To unsubscribe send an email to users-le...@ovirt.org
>>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>>> oVirt Code of Conduct:
>>> https://www.ovirt.org/community/about/community-guidelines/
>>> List Archives:
>>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/3WK5CJYL3PXXCJJQKLEQCQJG5X2YA3XV/
>>>
>>
>>
>> --
>>
>> Sandro Bonazzola
>>
>> MANAGER, SOFTWARE ENGINEERING, EMEA R RHV
>>
>> Red Hat EMEA 
>>
>> sbona...@redhat.com
>> 
>>
>> *Red Hat respects your work life balance. Therefore there is no need to
>> answer this email out of your office hours.*
>>
>>
>>
>
> --
> Martin Perina
> Manager, Software Engineering
> Red Hat Czech s.r.o.
>


-- 

Sandro Bonazzola

MANAGER, SOFTWARE ENGINEERING, EMEA R RHV

Red Hat EMEA 

sbona...@redhat.com


*Red Hat respects your work life balance. Therefore there is no need to
answer this email out of your office hours.*
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/TNDGLSSRRCD64RPKCBQBSRR7ZCSXESYL/


[ovirt-users] Re: How-to get oVirt host certificated date

2022-01-14 Thread Martin Perina
On Thu, Jan 13, 2022 at 4:53 PM Sandro Bonazzola 
wrote:

>
>
> Il giorno gio 13 gen 2022 alle ore 15:34 Konstantin Shalygin <
> k0...@k0ste.ru> ha scritto:
>
>> > It's possible to get, may be from Postgres, the host certificate date?
>> > Engine run this check sometimes, but trigger this check seems impossible
>>
>> Anybody?
>> @Sandro please help
>>
>> engine make check once per day and print to logs
>> How can we run a manual check or see info in PostgreSQL database? This is
>> required because the days until the end of the certificate's life expire,
>> waiting for the next day in order to understand the result of deploying a
>> new certificate is a strange situation
>>
>
> Maybe @Martin Perina  can assist?
>
> Hi,

host certificates are not saved anywhere in the engine database, you need
to go to the host itself to find out the expiration date. There are 2
options:

1. Directly on the host after connecting via SSH you can run below
# openssl x509 -text -noout -in /etc/pki/vdsm/certs/vdsmcert.pem | grep
-A2 Validity

2. Remotely using openssl you can run below
# openssl s_client -showcerts -connect :54321 | openssl x509
-text -noout | grep -A2 Validity


ovirt-engine performs certificate checks every day (can be configured using
engine-config option CertificationValidityCheckTimeInHours) and it checks
not only hosts certificates, but also the engine certificate and the engine
CA certificate. This check produces following records in ovirt-engine audit
log:

1. If the certificate has already expired then below audit log ALERT is
created depending on the type of certificate
- *Host ${VdsName} certification has expired at ${ExpirationDate}.
Please renew the host's certification.*
- *Engine's certification has expired at ${ExpirationDate}. Please
renew the engine's certification.*
- *Engine's CA certification has expired at ${ExpirationDate}.*

2. If the certificate is going to expire in less than 7 days, then below
audit log ALERT is created depending on the type of certificate
- *Host ${VdsName} certification is about to expire at
${ExpirationDate}. Please renew the host's certification.*
- *Engine's certification is about to expire at ${ExpirationDate}.
Please renew the engine's certification.*
- *Engine's CA certification is about to expire at ${ExpirationDate}.*

3. If the certificate is going to expire in less than 30 days, then below
audit log WARNING is created depending on the type of certificate
- *Host ${VdsName} certification is about to expire at
${ExpirationDate}. Please renew the host's certification.*
- *Engine's certification is about to expire at ${ExpirationDate}.
Please renew the engine's certification.*
- *Engine's CA certification is about to expire at ${ExpirationDate}.*

Regards,
Martin


>
>>
>>
>> Thanks,
>> k
>> ___
>> Users mailing list -- users@ovirt.org
>> To unsubscribe send an email to users-le...@ovirt.org
>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>> oVirt Code of Conduct:
>> https://www.ovirt.org/community/about/community-guidelines/
>> List Archives:
>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/3WK5CJYL3PXXCJJQKLEQCQJG5X2YA3XV/
>>
>
>
> --
>
> Sandro Bonazzola
>
> MANAGER, SOFTWARE ENGINEERING, EMEA R RHV
>
> Red Hat EMEA 
>
> sbona...@redhat.com
> 
>
> *Red Hat respects your work life balance. Therefore there is no need to
> answer this email out of your office hours.*
>
>
>

-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/TMJVAJMH5MKUVRTSZG2BB46QKXYI6M2D/


[ovirt-users] Re: How-to get oVirt host certificated date

2022-01-13 Thread Sandro Bonazzola
Il giorno gio 13 gen 2022 alle ore 15:34 Konstantin Shalygin 
ha scritto:

> > It's possible to get, may be from Postgres, the host certificate date?
> > Engine run this check sometimes, but trigger this check seems impossible
>
> Anybody?
> @Sandro please help
>
> engine make check once per day and print to logs
> How can we run a manual check or see info in PostgreSQL database? This is
> required because the days until the end of the certificate's life expire,
> waiting for the next day in order to understand the result of deploying a
> new certificate is a strange situation
>

Maybe @Martin Perina  can assist?



>
>
> Thanks,
> k
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/3WK5CJYL3PXXCJJQKLEQCQJG5X2YA3XV/
>


-- 

Sandro Bonazzola

MANAGER, SOFTWARE ENGINEERING, EMEA R RHV

Red Hat EMEA 

sbona...@redhat.com


*Red Hat respects your work life balance. Therefore there is no need to
answer this email out of your office hours.*
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/J7CO2FHF7GHJRCWQ27IZUIA2I5SLP6JY/


[ovirt-users] Re: How-to get oVirt host certificated date

2022-01-13 Thread Konstantin Shalygin
> It's possible to get, may be from Postgres, the host certificate date?
> Engine run this check sometimes, but trigger this check seems impossible

Anybody?
@Sandro please help

engine make check once per day and print to logs
How can we run a manual check or see info in PostgreSQL database? This is 
required because the days until the end of the certificate's life expire, 
waiting for the next day in order to understand the result of deploying a new 
certificate is a strange situation


Thanks,
k
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3WK5CJYL3PXXCJJQKLEQCQJG5X2YA3XV/