You can configure them using the available global settings ca.framework.cert.validity.period
By default the auto renewal is set to true. Read more here https://www.shapeblue.com/cloudstack-ca-framework/ and http://docs.cloudstack.apache.org/en/latest/adminguide/hosts.html#security Regards. Regards. ________________________________ From: Antoine Boucher <antoi...@haltondc.com> Sent: Tuesday, February 21, 2023 7:45:55 AM To: users <users@cloudstack.apache.org> Subject: Re: Expired Libvirt certificate on CentOS 7 KVM host. Excellent Wei, I set listen_tls to 0, started Libirtd and cloudstack-agent. The host connected as unsecured, I did a “Provision Host Security Keys” and all is well. Thanks again, Antoine Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system. > On Feb 20, 2023, at 4:03 PM, Wei ZHOU <ustcweiz...@gmail.com> wrote: > > You can refer to this code block > > https://github.com/apache/cloudstack/blob/main/scripts/util/keystore-setup#L54-L61 > > > if [ -f "$LIBVIRTD_FILE" ]; then > echo "Reverting libvirtd to not listen on TLS" > sed -i "s,^listen_tls=1,listen_tls=0,g" $LIBVIRTD_FILE > systemctl restart libvirtd > fi > > echo "Removing cloud.* files in /etc/cloudstack/agent" > rm -f /etc/cloudstack/agent/cloud.* > > > -Wei > > > On Monday, 20 February 2023, Antoine Boucher <antoi...@haltondc.com> wrote: > >> Thank you Wei, >> >> My ca.plugin.root.auth.strictness was already set to false >> >> The cloud-stack agent refused to run because Libvirt is not running >> because of the expired Libvirt certs. >> >> Is there a way to turn off the secure connection requirement on libbvirt. >> Or at least to allow to connect and renew vie the WebUI and the turn it >> back on? >> >> Regards, >> Antoine >> >> >> >> *Antoine Boucher* >> antoi...@haltondc.com >> [o] +1-226-505-9734 >> www.haltondc.com<http://www.haltondc.com> >> >> “Data security made simple” >> >> >> [image: HDClogo7-small.png] >> >> >> Confidentiality Warning: This message and any attachments are intended >> only for the use of the intended recipient(s), are confidential, and may be >> privileged. If you are not the intended recipient, you are hereby notified >> that any review, retransmission, conversion to hard copy, >> copying, circulation or other use of this message and any attachments is >> strictly prohibited. If you are not the intended recipient, please notify >> the sender immediately by return e-mail, and delete this message and any >> attachments from your system. >> >> >> On Feb 20, 2023, at 2:24 PM, Wei ZHOU <ustcweiz...@gmail.com> wrote: >> >> Agree. >> >> For the cloudstack agent which can not be started, update global setting >> `ca.plugin.root.auth.strictness` to `false` and retry. >> >> -Wei >> >> On Mon, 20 Feb 2023 at 20:21, Aditya Sharma >> <aditya.sha...@indiqus.com.invalid> wrote: >> >> >> Hello, >> >> Yes it can be done simply by forcing “provision host security keys“ from >> the Web UI. >> >> Regards, >> Aditya Sharma >> >> On 21-Feb-2023, at 00:01, Antoine Boucher <antoi...@haltondc.com> wrote: >> >> Hello, >> >> I have just upgraded from 4.16.2 to 4.17.2 all went well. >> >> However, probably unrelated to the upgrade, I needed to do maintenance >> >> on on of my Centos 7 kvm host. When I rebooted the host CloudStack agent >> can not start, complaining about expired libvirt certificated. >> >> >> I read that the certificate for libvirt of centos 7 is valid for one >> >> year. There is a fairly convoluted way to update them. Is there a simpler >> way to renew the cert? >> >> >> I have not rebooted my other centos 7 kvm hosts, that are likely over >> >> the one year mark. Can these hosts libvirt certs be upgraded simply by >> forcing “provision host security keys“ from the webui console in the >> infrastructure/host section since I still have cloud-agent connection? >> >> >> Regards, >> Antoine Boucher >> >> >> >> >> >> >> Confidentiality Warning: This message and any attachments are intended >> >> only for the use of the intended recipient(s), are confidential, and may be >> privileged. If you are not the intended recipient, you are hereby notified >> that any review, retransmission, conversion to hard copy, copying, >> circulation or other use of this message and any attachments is strictly >> prohibited. If you are not the intended recipient, please notify the sender >> immediately by return e-mail, and delete this message and any attachments >> from your system. >> >> -- >> This message is intended only for the use of the individual or entity to >> which it is addressed and may contain confidential and/or privileged >> information. If you are not the intended recipient, please delete the >> original message and any copy of it from your computer system. You are >> hereby notified that any dissemination, distribution or copying of this >> communication is strictly prohibited unless proper authorization has been >> obtained for such action. If you have received this communication in >> error, >> please notify the sender immediately. Although IndiQus attempts to sweep >> e-mail and attachments for viruses, it does not guarantee that both are >> virus-free and accepts no liability for any damage sustained as a result >> of >> viruses. >> >> >>
