subject:"\[ovirt\-users\] Re\: vnc certificate renew"

[ovirt-users] Re: vnc certificate renew

2022-05-09 Thread Yedidyah Bar David

On Fri, May 6, 2022 at 3:22 PM Sandro Bonazzola  wrote:
>
>
>
> Il giorno ven 6 mag 2022 alle ore 11:40 Gianluca Cecchi 
>  ha scritto:
>>
>> On Fri, May 6, 2022 at 10:59 AM Gianluca Cecchi  
>> wrote:
>>>
>>> On Fri, May 6, 2022 at 10:44 AM Gianluca Cecchi  
>>> wrote:

 On Mon, May 2, 2022 at 6:02 PM  wrote:
>
> Hi,
>
> LAst month a renewed our hosts certificates by the "Enroll certificates" 
> method.
> The "/etc/pki/vdsm/libvirt-vnc/server-cert.pem" certificate wasn't 
> renewed on my nodes (other certificates were).
>
> How can i renew this certificate too?
>
> thanks
> csabany
>

 Actually I think this could be a bug in enrolling certificate job on hosts 
 from web admin gui.
 I'm having the same problem updating from downstream RHV 4.4.10-6 to 
 4.4.10-7 with RHV-H hosts and the enrolling of certificates takes in 
 consideration these directories
>>>
>>>
>>
>> In my Red Hat case confirmed that bug is already opened for this problem:
>> https://bugzilla.redhat.com/show_bug.cgi?id=2043146

Seems like this is indeed the issue. Should already be fixed in 4.5.

The bug is on RHV, not oVirt, so is still in VERIFIED - will be closed
once RHV has it. For oVirt, AFAICT, it's already fixed.

If you still run into this issue with current 4.5, please attach
relevant logs to this bug (or create a new one, if you suspect it's
unrelated). Thanks.

Best regards,
-- 
Didi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/OEQCQIVO2UVPQOIBOVGJMOBICYI5HILX/

[ovirt-users] Re: vnc certificate renew

2022-05-06 Thread Sandro Bonazzola

Il giorno ven 6 mag 2022 alle ore 11:40 Gianluca Cecchi <
gianluca.cec...@gmail.com> ha scritto:

> On Fri, May 6, 2022 at 10:59 AM Gianluca Cecchi 
> wrote:
>
>> On Fri, May 6, 2022 at 10:44 AM Gianluca Cecchi <
>> gianluca.cec...@gmail.com> wrote:
>>
>>> On Mon, May 2, 2022 at 6:02 PM  wrote:
>>>
 Hi,

 LAst month a renewed our hosts certificates by the "Enroll
 certificates" method.
 The "/etc/pki/vdsm/libvirt-vnc/server-cert.pem" certificate wasn't
 renewed on my nodes (other certificates were).

 How can i renew this certificate too?

 thanks
 csabany

>>> Actually I think this could be a bug in enrolling certificate job on
>>> hosts from web admin gui.
>>> I'm having the same problem updating from downstream RHV 4.4.10-6 to
>>> 4.4.10-7 with RHV-H hosts and the enrolling of certificates takes in
>>> consideration these directories
>>>
>>
>>
> In my Red Hat case confirmed that bug is already opened for this problem:
> https://bugzilla.redhat.com/show_bug.cgi?id=2043146
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/2OV43X2DMAFDZHYTIC6G5WTSMM3XB2BH/
>

+Milan Zamazal  +Yedidyah Bar David
  +Martin
Perina  +Michal Skrivanekcan
you please have a look?

-- 

Sandro Bonazzola

MANAGER, SOFTWARE ENGINEERING, EMEA R RHV

Red Hat EMEA 

sbona...@redhat.com

*Red Hat respects your work life balance. Therefore there is no need to
answer this email out of your office hours.*
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/GO37JMD6GHJDD2ZKONYXGOABIEL5WGJB/

[ovirt-users] Re: vnc certificate renew

2022-05-06 Thread Gianluca Cecchi

On Fri, May 6, 2022 at 10:59 AM Gianluca Cecchi 
wrote:

> On Fri, May 6, 2022 at 10:44 AM Gianluca Cecchi 
> wrote:
>
>> On Mon, May 2, 2022 at 6:02 PM  wrote:
>>
>>> Hi,
>>>
>>> LAst month a renewed our hosts certificates by the "Enroll certificates"
>>> method.
>>> The "/etc/pki/vdsm/libvirt-vnc/server-cert.pem" certificate wasn't
>>> renewed on my nodes (other certificates were).
>>>
>>> How can i renew this certificate too?
>>>
>>> thanks
>>> csabany
>>>
>>>
>> Actually I think this could be a bug in enrolling certificate job on
>> hosts from web admin gui.
>> I'm having the same problem updating from downstream RHV 4.4.10-6 to
>> 4.4.10-7 with RHV-H hosts and the enrolling of certificates takes in
>> consideration these directories
>>
>
>
In my Red Hat case confirmed that bug is already opened for this problem:
https://bugzilla.redhat.com/show_bug.cgi?id=2043146
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/2OV43X2DMAFDZHYTIC6G5WTSMM3XB2BH/

[ovirt-users] Re: vnc certificate renew

2022-05-06 Thread Gianluca Cecchi

On Fri, May 6, 2022 at 10:44 AM Gianluca Cecchi 
wrote:

> On Mon, May 2, 2022 at 6:02 PM  wrote:
>
>> Hi,
>>
>> LAst month a renewed our hosts certificates by the "Enroll certificates"
>> method.
>> The "/etc/pki/vdsm/libvirt-vnc/server-cert.pem" certificate wasn't
>> renewed on my nodes (other certificates were).
>>
>> How can i renew this certificate too?
>>
>> thanks
>> csabany
>>
>>
> Actually I think this could be a bug in enrolling certificate job on hosts
> from web admin gui.
> I'm having the same problem updating from downstream RHV 4.4.10-6 to
> 4.4.10-7 with RHV-H hosts and the enrolling of certificates takes in
> consideration these directories
>
> /etc/pki/libvirt
> /etc/pki/vdsm/certs
> /etc/pki/vdsm/libvirt-migrate
> /etc/pki/vdsm/libvirt-spice
>
> But not:
> /etc/pki/vdsm/libvirt-vnc
>
> I think it could impact oVirt too.
>
> In case Red Hat guys want to see logs of my RHV environment, I've opened
> the case 03212406 for this problem.
>
> Gianluca
>

I forgot to say that the impact in my case is that due to this problem I
can't live migrate VMs between the updated hosts, because the libvirt-vnc
certificate of destination host is now expired...
and in logs of source host I get:

libvirt.libvirtError: internal error: process exited while connecting to
monitor: 2022-05-05T07:31:25.922766Z qemu-kvm: The server certificate
/etc/pki/vdsm/libvirt-vnc/server-cert.pem has expired

Perhaps is due to having graphics protocol: Spice+VNC in VM console
configuration, so both certificates (spice and vnc) are checked before
migration. Not sure

Gianluca
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/LPNL26PR632UXMWBC7ARXXR255B44WM3/

[ovirt-users] Re: vnc certificate renew

2022-05-06 Thread Gianluca Cecchi

On Mon, May 2, 2022 at 6:02 PM  wrote:

> Hi,
>
> LAst month a renewed our hosts certificates by the "Enroll certificates"
> method.
> The "/etc/pki/vdsm/libvirt-vnc/server-cert.pem" certificate wasn't renewed
> on my nodes (other certificates were).
>
> How can i renew this certificate too?
>
> thanks
> csabany
>
>
Actually I think this could be a bug in enrolling certificate job on hosts
from web admin gui.
I'm having the same problem updating from downstream RHV 4.4.10-6 to
4.4.10-7 with RHV-H hosts and the enrolling of certificates takes in
consideration these directories

/etc/pki/libvirt
/etc/pki/vdsm/certs
/etc/pki/vdsm/libvirt-migrate
/etc/pki/vdsm/libvirt-spice

But not:
/etc/pki/vdsm/libvirt-vnc

I think it could impact oVirt too.

In case Red Hat guys want to see logs of my RHV environment, I've opened
the case 03212406 for this problem.

Gianluca
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MDQNKYM3QLOKZZJDQZ5YAPZSDTPHMV4Y/

[ovirt-users] Re: vnc certificate renew

2022-05-05 Thread Jiří Sléžka


On 5/5/22 10:42, si...@justconnect.ie wrote:

Hi Jiri,

I understand the libvirt-vnc part of this thread but can you explain the 
following in more detail please:

"when you update also CA then

cp /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-vnc/ca-cert.pem"


sorry, it is probably not necessary.

In my particular case I had expired engine.cer so I have regenerate it 
during engine-setup process. Then I enroll certificates on all hosts. 
After that I mentioned that migrations to some hosts fails. Qemu log shows


2022-05-02T13:55:05.987598Z qemu-kvm: Our own certificate 
/etc/pki/vdsm/libvirt-vnc/server-cert.pem failed validation against 
/etc/pki/vdsm/libvirt-vnc/ca-cert.pem: The certificate hasn't got a 
known issuer


so I copied key, cert and also cacert.pem to libvirt-vnc which solves my 
issue.



When does /etc/pki/vdsm/certs/cacert.pem get updated (checked mine and it's 
2021) if not by the 'Enroll Certificate' action?


I believe cacert could be updated during engine-setup process but I am 
not sure about this. In my case CA was not renewed


openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -text

Validity
Not Before: Aug 30 14:45:05 2015 GMT
Not After : Aug 28 14:45:05 2025 GMT

so I have no idea why /etc/pki/vdsm/libvirt-vnc/server-cert.pem cannot 
be validated against /etc/pki/vdsm/libvirt-vnc/ca-cert.pem on host. 
Copying /etc/pki/vdsm/certs/cacert.pem to 
/etc/pki/vdsm/libvirt-vnc/ca-cert.pem solved this issue...


Cheers,

Jiri




Kind Regards

Simon...
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/HVT3KMVESR5ND7S4LMI6PJDVZRUN63QE/




smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/A5YBO3JR3DLOIIKKA46XQXX7U46QPFQ4/

[ovirt-users] Re: vnc certificate renew

2022-05-05 Thread simon

Hi Jiri,

I understand the libvirt-vnc part of this thread but can you explain the 
following in more detail please:

"when you update also CA then

cp /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-vnc/ca-cert.pem"

When does /etc/pki/vdsm/certs/cacert.pem get updated (checked mine and it's 
2021) if not by the 'Enroll Certificate' action?

Kind Regards

Simon...
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/HVT3KMVESR5ND7S4LMI6PJDVZRUN63QE/

[ovirt-users] Re: vnc certificate renew

2022-05-02 Thread Jiří Sléžka


Hi,

Dne 5/2/22 v 17:58 csab...@freemail.hu napsal(a):

Hi,

LAst month a renewed our hosts certificates by the "Enroll certificates" method.
The "/etc/pki/vdsm/libvirt-vnc/server-cert.pem" certificate wasn't renewed on 
my nodes (other certificates were).

How can i renew this certificate too?


on host just copy renewed vdsm key and cert to libvirt-vnc

cp /etc/pki/vdsm/certs/vdsmcert.pem 
/etc/pki/vdsm/libvirt-vnc/server-cert.pem

cp /etc/pki/vdsm/keys/vdsmkey.pem /etc/pki/vdsm/libvirt-vnc/server-key.pem

when you update also CA then

cp /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-vnc/ca-cert.pem

Cheers,

Jiri



thanks
csabany
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/L3HRCMX6NMF2TC7ZVF4ED3TNS6KRIXCN/




smime.p7s
Description: Elektronicky podpis S/MIME
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BHHVL64ZBXRXVNC5RUQJ36HRIUJXFWTT/

[ovirt-users] Re: vnc certificate renew

[ovirt-users] Re: vnc certificate renew

[ovirt-users] Re: vnc certificate renew

[ovirt-users] Re: vnc certificate renew

[ovirt-users] Re: vnc certificate renew

[ovirt-users] Re: vnc certificate renew

[ovirt-users] Re: vnc certificate renew

[ovirt-users] Re: vnc certificate renew

8 matches

Site Navigation

Mail list logo

Footer information