Re: [ovirt-users] expired cert for aaa

2016-11-24 Thread Yedidyah Bar David 
On Thu, Nov 24, 2016 at 1:58 PM, cmc  wrote:
> I ran engine-setup again, but the issue was still present. However, I found
> that by using a different browser (Firefox instead of Chrome), I did not get
> the error. I cleared the cookies in Chrome and the issue no longer occured.
> So it may well be a browser issue.

Thanks for the report. Adding Alexander in case he wishes to
check/note something.

Best,

>
> Thanks,
>
> C
>
> On Thu, Nov 24, 2016 at 11:22 AM, cmc  wrote:
>>
>> Interestingly, I just got this same error again after I upgraded (I
>> upgraded from 4.0.4 to 4.0.5 to fix the 'internal server error' bug that was
>> fixed in 4.0.5)
>>
>> server_error: The connection reader was unable to successfully complete
>> TLS negotiation: javax.net.ssl.SSLHandshakeException:
>> java.security.cert.CertificateExpiredException: NotAfter: Fri Nov 04
>> 00:19:18 GMT 2016 caused by java.security.cert.CertificateExpiredException:
>> NotAfter: Fri Nov 04 00:19:18 GMT 2016
>>
>> Shall I send the logs?
>>
>> On Thu, Nov 24, 2016 at 10:55 AM, Yedidyah Bar David 
>> wrote:
>>>
>>> On Thu, Nov 24, 2016 at 12:47 PM, cmc  wrote:
>>> > Hi Yedidyah,
>>> >
>>> > Attached are the setup logs, sorry for the delay. I checked all the
>>> > backup
>>> > certs, and the expiry dates were either in 2021 or 2026.
>>>
>>> Sorry, no idea.
>>>
>>> This means that all certs generated by engine-setup were ok.
>>>
>>> Not sure what caused this message. If it happens again, please
>>> check the certificate's details, who issued/signed it etc.
>>>
>>> Best,
>>>
>>> >
>>> > Regards,
>>> >
>>> > Cam
>>> >
>>> > On Tue, Nov 8, 2016 at 7:25 AM, Yedidyah Bar David 
>>> > wrote:
>>> >>
>>> >> On Mon, Nov 7, 2016 at 9:15 PM, cmc  wrote:
>>> >> > To reply to my own email:
>>> >> >
>>> >> > This is now fixed.
>>> >> >
>>> >> > I originally ran these steps for the upgrade:
>>> >> >
>>> >> > # yum install
>>> >> > http://resources.ovirt.org/pub/yum-repo/ovirt-release40.rpm
>>> >> > # yum update "ovirt-engine-setup*"
>>> >> > # engine-setup
>>> >> >
>>> >> > There were no errors reported during the process. I could login as
>>> >> > the
>>> >> > internal user without any errors. It was just using an external
>>> >> > provider,
>>> >> > which made me think it was an aaa issue, so I looked
>>> >> > at the certificate exported from AD which had an expiry of 2063.
>>> >> >
>>> >> > I tried running engine-setup again, and this fixed the issue. I have
>>> >> > no
>>> >> > idea
>>> >> > what happened along the way, I will check the logs. I notice it
>>> >> > reports:
>>> >> >
>>> >> > [ INFO  ] Upgrading CA
>>> >>
>>> >> engine-setup always emits this message. You might find more details in
>>> >> the
>>> >> setup logs regarding what it actually did.
>>> >>
>>> >> >
>>> >> > so it looks like it creates a cert. Why it would have created one
>>> >> > with
>>> >> > such
>>> >> > a short expiry date is a mystery to me.
>>> >> >
>>> >> > Hope this helps anyone who might come across this issue
>>> >>
>>> >> Thanks for the report!
>>> >>
>>> >> Can you please share both setup logs? Thanks.
>>> >>
>>> >> Also, most files should be backed up by engine-setup prior to being
>>> >> changed/removed. So you can check the backups. E.g.:
>>> >>
>>> >> # openssl x509 -in /etc/pki/ovirt-engine/ca.pem.20160120160548 -noout
>>> >> -enddate
>>> >> notAfter=May 22 07:32:23 2025 GMT
>>> >> # openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -enddate
>>> >> notAfter=Mar  6 09:46:44 2026 GMT
>>> >>
>>> >> Or,
>>> >>
>>> >> find /etc/pki/ovirt-engine -name "*.cer*" -o -name "*.pem*" | while
>>> >> read file; do echo $file $(openssl x509 -in $file -noout -enddate);
>>> >> done
>>> >>
>>> >> Best,
>>> >> --
>>> >> Didi
>>> >
>>> >
>>>
>>>
>>>
>>> --
>>> Didi
>>
>>
>



-- 
Didi
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] expired cert for aaa

2016-11-24 Thread cmc 
I ran engine-setup again, but the issue was still present. However, I found
that by using a different browser (Firefox instead of Chrome), I did not
get the error. I cleared the cookies in Chrome and the issue no longer
occured. So it may well be a browser issue.

Thanks,

C

On Thu, Nov 24, 2016 at 11:22 AM, cmc  wrote:

> Interestingly, I just got this same error again after I upgraded (I
> upgraded from 4.0.4 to 4.0.5 to fix the 'internal server error' bug that
> was fixed in 4.0.5)
>
> server_error: The connection reader was unable to successfully complete
> TLS negotiation: javax.net.ssl.SSLHandshakeException: 
> java.security.cert.CertificateExpiredException:
> NotAfter: Fri Nov 04 00:19:18 GMT 2016 caused by 
> java.security.cert.CertificateExpiredException:
> NotAfter: Fri Nov 04 00:19:18 GMT 2016
>
> Shall I send the logs?
>
> On Thu, Nov 24, 2016 at 10:55 AM, Yedidyah Bar David 
> wrote:
>
>> On Thu, Nov 24, 2016 at 12:47 PM, cmc  wrote:
>> > Hi Yedidyah,
>> >
>> > Attached are the setup logs, sorry for the delay. I checked all the
>> backup
>> > certs, and the expiry dates were either in 2021 or 2026.
>>
>> Sorry, no idea.
>>
>> This means that all certs generated by engine-setup were ok.
>>
>> Not sure what caused this message. If it happens again, please
>> check the certificate's details, who issued/signed it etc.
>>
>> Best,
>>
>> >
>> > Regards,
>> >
>> > Cam
>> >
>> > On Tue, Nov 8, 2016 at 7:25 AM, Yedidyah Bar David 
>> wrote:
>> >>
>> >> On Mon, Nov 7, 2016 at 9:15 PM, cmc  wrote:
>> >> > To reply to my own email:
>> >> >
>> >> > This is now fixed.
>> >> >
>> >> > I originally ran these steps for the upgrade:
>> >> >
>> >> > # yum install
>> >> > http://resources.ovirt.org/pub/yum-repo/ovirt-release40.rpm
>> >> > # yum update "ovirt-engine-setup*"
>> >> > # engine-setup
>> >> >
>> >> > There were no errors reported during the process. I could login as
>> the
>> >> > internal user without any errors. It was just using an external
>> >> > provider,
>> >> > which made me think it was an aaa issue, so I looked
>> >> > at the certificate exported from AD which had an expiry of 2063.
>> >> >
>> >> > I tried running engine-setup again, and this fixed the issue. I have
>> no
>> >> > idea
>> >> > what happened along the way, I will check the logs. I notice it
>> reports:
>> >> >
>> >> > [ INFO  ] Upgrading CA
>> >>
>> >> engine-setup always emits this message. You might find more details in
>> the
>> >> setup logs regarding what it actually did.
>> >>
>> >> >
>> >> > so it looks like it creates a cert. Why it would have created one
>> with
>> >> > such
>> >> > a short expiry date is a mystery to me.
>> >> >
>> >> > Hope this helps anyone who might come across this issue
>> >>
>> >> Thanks for the report!
>> >>
>> >> Can you please share both setup logs? Thanks.
>> >>
>> >> Also, most files should be backed up by engine-setup prior to being
>> >> changed/removed. So you can check the backups. E.g.:
>> >>
>> >> # openssl x509 -in /etc/pki/ovirt-engine/ca.pem.20160120160548 -noout
>> >> -enddate
>> >> notAfter=May 22 07:32:23 2025 GMT
>> >> # openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -enddate
>> >> notAfter=Mar  6 09:46:44 2026 GMT
>> >>
>> >> Or,
>> >>
>> >> find /etc/pki/ovirt-engine -name "*.cer*" -o -name "*.pem*" | while
>> >> read file; do echo $file $(openssl x509 -in $file -noout -enddate);
>> >> done
>> >>
>> >> Best,
>> >> --
>> >> Didi
>> >
>> >
>>
>>
>>
>> --
>> Didi
>>
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] expired cert for aaa

2016-11-24 Thread cmc 
Interestingly, I just got this same error again after I upgraded (I
upgraded from 4.0.4 to 4.0.5 to fix the 'internal server error' bug that
was fixed in 4.0.5)

server_error: The connection reader was unable to successfully complete TLS
negotiation: javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateExpiredException: NotAfter: Fri Nov 04
00:19:18 GMT 2016 caused by java.security.cert.CertificateExpiredException:
NotAfter: Fri Nov 04 00:19:18 GMT 2016

Shall I send the logs?

On Thu, Nov 24, 2016 at 10:55 AM, Yedidyah Bar David 
wrote:

> On Thu, Nov 24, 2016 at 12:47 PM, cmc  wrote:
> > Hi Yedidyah,
> >
> > Attached are the setup logs, sorry for the delay. I checked all the
> backup
> > certs, and the expiry dates were either in 2021 or 2026.
>
> Sorry, no idea.
>
> This means that all certs generated by engine-setup were ok.
>
> Not sure what caused this message. If it happens again, please
> check the certificate's details, who issued/signed it etc.
>
> Best,
>
> >
> > Regards,
> >
> > Cam
> >
> > On Tue, Nov 8, 2016 at 7:25 AM, Yedidyah Bar David 
> wrote:
> >>
> >> On Mon, Nov 7, 2016 at 9:15 PM, cmc  wrote:
> >> > To reply to my own email:
> >> >
> >> > This is now fixed.
> >> >
> >> > I originally ran these steps for the upgrade:
> >> >
> >> > # yum install
> >> > http://resources.ovirt.org/pub/yum-repo/ovirt-release40.rpm
> >> > # yum update "ovirt-engine-setup*"
> >> > # engine-setup
> >> >
> >> > There were no errors reported during the process. I could login as the
> >> > internal user without any errors. It was just using an external
> >> > provider,
> >> > which made me think it was an aaa issue, so I looked
> >> > at the certificate exported from AD which had an expiry of 2063.
> >> >
> >> > I tried running engine-setup again, and this fixed the issue. I have
> no
> >> > idea
> >> > what happened along the way, I will check the logs. I notice it
> reports:
> >> >
> >> > [ INFO  ] Upgrading CA
> >>
> >> engine-setup always emits this message. You might find more details in
> the
> >> setup logs regarding what it actually did.
> >>
> >> >
> >> > so it looks like it creates a cert. Why it would have created one with
> >> > such
> >> > a short expiry date is a mystery to me.
> >> >
> >> > Hope this helps anyone who might come across this issue
> >>
> >> Thanks for the report!
> >>
> >> Can you please share both setup logs? Thanks.
> >>
> >> Also, most files should be backed up by engine-setup prior to being
> >> changed/removed. So you can check the backups. E.g.:
> >>
> >> # openssl x509 -in /etc/pki/ovirt-engine/ca.pem.20160120160548 -noout
> >> -enddate
> >> notAfter=May 22 07:32:23 2025 GMT
> >> # openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -enddate
> >> notAfter=Mar  6 09:46:44 2026 GMT
> >>
> >> Or,
> >>
> >> find /etc/pki/ovirt-engine -name "*.cer*" -o -name "*.pem*" | while
> >> read file; do echo $file $(openssl x509 -in $file -noout -enddate);
> >> done
> >>
> >> Best,
> >> --
> >> Didi
> >
> >
>
>
>
> --
> Didi
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] expired cert for aaa

2016-11-24 Thread Yedidyah Bar David 
On Thu, Nov 24, 2016 at 12:47 PM, cmc  wrote:
> Hi Yedidyah,
>
> Attached are the setup logs, sorry for the delay. I checked all the backup
> certs, and the expiry dates were either in 2021 or 2026.

Sorry, no idea.

This means that all certs generated by engine-setup were ok.

Not sure what caused this message. If it happens again, please
check the certificate's details, who issued/signed it etc.

Best,

>
> Regards,
>
> Cam
>
> On Tue, Nov 8, 2016 at 7:25 AM, Yedidyah Bar David  wrote:
>>
>> On Mon, Nov 7, 2016 at 9:15 PM, cmc  wrote:
>> > To reply to my own email:
>> >
>> > This is now fixed.
>> >
>> > I originally ran these steps for the upgrade:
>> >
>> > # yum install
>> > http://resources.ovirt.org/pub/yum-repo/ovirt-release40.rpm
>> > # yum update "ovirt-engine-setup*"
>> > # engine-setup
>> >
>> > There were no errors reported during the process. I could login as the
>> > internal user without any errors. It was just using an external
>> > provider,
>> > which made me think it was an aaa issue, so I looked
>> > at the certificate exported from AD which had an expiry of 2063.
>> >
>> > I tried running engine-setup again, and this fixed the issue. I have no
>> > idea
>> > what happened along the way, I will check the logs. I notice it reports:
>> >
>> > [ INFO  ] Upgrading CA
>>
>> engine-setup always emits this message. You might find more details in the
>> setup logs regarding what it actually did.
>>
>> >
>> > so it looks like it creates a cert. Why it would have created one with
>> > such
>> > a short expiry date is a mystery to me.
>> >
>> > Hope this helps anyone who might come across this issue
>>
>> Thanks for the report!
>>
>> Can you please share both setup logs? Thanks.
>>
>> Also, most files should be backed up by engine-setup prior to being
>> changed/removed. So you can check the backups. E.g.:
>>
>> # openssl x509 -in /etc/pki/ovirt-engine/ca.pem.20160120160548 -noout
>> -enddate
>> notAfter=May 22 07:32:23 2025 GMT
>> # openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -enddate
>> notAfter=Mar  6 09:46:44 2026 GMT
>>
>> Or,
>>
>> find /etc/pki/ovirt-engine -name "*.cer*" -o -name "*.pem*" | while
>> read file; do echo $file $(openssl x509 -in $file -noout -enddate);
>> done
>>
>> Best,
>> --
>> Didi
>
>



-- 
Didi
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] expired cert for aaa

2016-11-07 Thread Yedidyah Bar David 
On Mon, Nov 7, 2016 at 9:15 PM, cmc  wrote:
> To reply to my own email:
>
> This is now fixed.
>
> I originally ran these steps for the upgrade:
>
> # yum install http://resources.ovirt.org/pub/yum-repo/ovirt-release40.rpm
> # yum update "ovirt-engine-setup*"
> # engine-setup
>
> There were no errors reported during the process. I could login as the
> internal user without any errors. It was just using an external provider,
> which made me think it was an aaa issue, so I looked
> at the certificate exported from AD which had an expiry of 2063.
>
> I tried running engine-setup again, and this fixed the issue. I have no idea
> what happened along the way, I will check the logs. I notice it reports:
>
> [ INFO  ] Upgrading CA

engine-setup always emits this message. You might find more details in the
setup logs regarding what it actually did.

>
> so it looks like it creates a cert. Why it would have created one with such
> a short expiry date is a mystery to me.
>
> Hope this helps anyone who might come across this issue

Thanks for the report!

Can you please share both setup logs? Thanks.

Also, most files should be backed up by engine-setup prior to being
changed/removed. So you can check the backups. E.g.:

# openssl x509 -in /etc/pki/ovirt-engine/ca.pem.20160120160548 -noout -enddate
notAfter=May 22 07:32:23 2025 GMT
# openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -enddate
notAfter=Mar  6 09:46:44 2026 GMT

Or,

find /etc/pki/ovirt-engine -name "*.cer*" -o -name "*.pem*" | while
read file; do echo $file $(openssl x509 -in $file -noout -enddate);
done

Best,
-- 
Didi
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] expired cert for aaa

2016-11-07 Thread cmc 
To reply to my own email:

This is now fixed.

I originally ran these steps for the upgrade:

# yum install http://resources.ovirt.org/pub/yum-repo/ovirt-release40.rpm
# yum update "ovirt-engine-setup*"
# engine-setup

There were no errors reported during the process. I could login as the
internal user without any errors. It was just using an external provider,
which made me think it was an aaa issue, so I looked
at the certificate exported from AD which had an expiry of 2063.

I tried running engine-setup again, and this fixed the issue. I have no
idea what happened along the way, I will check the logs. I notice it
reports:

[ INFO  ] Upgrading CA

so it looks like it creates a cert. Why it would have created one with such
a short expiry date is a mystery to me.

Hope this helps anyone who might come across this issue

Cheers,

Cam

On Mon, Nov 7, 2016 at 7:03 PM, cmc  wrote:

> Hi,
>
> I upgraded my engine host from 4.0.2.7 to 4.0.4 and when I attempt to
> login via a aaa provider I get:
>
>  java.security.cert.CertificateExpiredException: NotAfter: Fri Nov 04
> 00:19:18 GMT 2016,
>
> What certificate is this referring to? The certificate from the aaa
> provider expires in 2063.
>
> It was fine until the upgrade.
>
> Thanks for any help,
>
> Cam
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] expired cert for aaa

2016-11-07 Thread cmc 
Hi,

I upgraded my engine host from 4.0.2.7 to 4.0.4 and when I attempt to login
via a aaa provider I get:

 java.security.cert.CertificateExpiredException: NotAfter: Fri Nov 04
00:19:18 GMT 2016,

What certificate is this referring to? The certificate from the aaa
provider expires in 2063.

It was fine until the upgrade.

Thanks for any help,

Cam
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users