My ca.framework.cert.validity.period is set to 365 days. If assume that the Libvirt certificate expires in a year should I set ca.framework.cert.validity.period to be less than 365, say 360?
Regards, Antoine > On Feb 20, 2023, at 11:54 PM, Rohit Yadav <rohit.ya...@shapeblue.com> wrote: > > You can configure them using the available global settings > ca.framework.cert.validity.period > > By default the auto renewal is set to true. Read more here > https://www.shapeblue.com/cloudstack-ca-framework/ > and > http://docs.cloudstack.apache.org/en/latest/adminguide/hosts.html#security > > Regards. > > Regards. > ________________________________ > From: Antoine Boucher <antoi...@haltondc.com <mailto:antoi...@haltondc.com>> > Sent: Tuesday, February 21, 2023 7:45:55 AM > To: users <users@cloudstack.apache.org <mailto:users@cloudstack.apache.org>> > Subject: Re: Expired Libvirt certificate on CentOS 7 KVM host. > > Excellent Wei, > > I set listen_tls to 0, started Libirtd and cloudstack-agent. The host > connected as unsecured, I did a “Provision Host Security Keys” and all is > well. > > Thanks again, > Antoine > > > Confidentiality Warning: This message and any attachments are intended only > for the use of the intended recipient(s), are confidential, and may be > privileged. If you are not the intended recipient, you are hereby notified > that any review, retransmission, conversion to hard copy, copying, > circulation or other use of this message and any attachments is strictly > prohibited. If you are not the intended recipient, please notify the sender > immediately by return e-mail, and delete this message and any attachments > from your system. > > > > > >> On Feb 20, 2023, at 4:03 PM, Wei ZHOU <ustcweiz...@gmail.com> wrote: >> >> You can refer to this code block >> >> https://github.com/apache/cloudstack/blob/main/scripts/util/keystore-setup#L54-L61 >> >> >> if [ -f "$LIBVIRTD_FILE" ]; then >> echo "Reverting libvirtd to not listen on TLS" >> sed -i "s,^listen_tls=1,listen_tls=0,g" $LIBVIRTD_FILE >> systemctl restart libvirtd >> fi >> >> echo "Removing cloud.* files in /etc/cloudstack/agent" >> rm -f /etc/cloudstack/agent/cloud.* >> >> >> -Wei >> >> >> On Monday, 20 February 2023, Antoine Boucher <antoi...@haltondc.com> wrote: >> >>> Thank you Wei, >>> >>> My ca.plugin.root.auth.strictness was already set to false >>> >>> The cloud-stack agent refused to run because Libvirt is not running >>> because of the expired Libvirt certs. >>> >>> Is there a way to turn off the secure connection requirement on libbvirt. >>> Or at least to allow to connect and renew vie the WebUI and the turn it >>> back on? >>> >>> Regards, >>> Antoine >>> >>> >>> >>> *Antoine Boucher* >>> antoi...@haltondc.com >>> [o] +1-226-505-9734 >>> www.haltondc.com <http://www.haltondc.com/><http://www.haltondc.com >>> <http://www.haltondc.com/>> >>> >>> “Data security made simple” >>> >>> >>> [image: HDClogo7-small.png] >>> >>> >>> Confidentiality Warning: This message and any attachments are intended >>> only for the use of the intended recipient(s), are confidential, and may be >>> privileged. If you are not the intended recipient, you are hereby notified >>> that any review, retransmission, conversion to hard copy, >>> copying, circulation or other use of this message and any attachments is >>> strictly prohibited. If you are not the intended recipient, please notify >>> the sender immediately by return e-mail, and delete this message and any >>> attachments from your system. >>> >>> >>> On Feb 20, 2023, at 2:24 PM, Wei ZHOU <ustcweiz...@gmail.com> wrote: >>> >>> Agree. >>> >>> For the cloudstack agent which can not be started, update global setting >>> `ca.plugin.root.auth.strictness` to `false` and retry. >>> >>> -Wei >>> >>> On Mon, 20 Feb 2023 at 20:21, Aditya Sharma >>> <aditya.sha...@indiqus.com.invalid> wrote: >>> >>> >>> Hello, >>> >>> Yes it can be done simply by forcing “provision host security keys“ from >>> the Web UI. >>> >>> Regards, >>> Aditya Sharma >>> >>> On 21-Feb-2023, at 00:01, Antoine Boucher <antoi...@haltondc.com> wrote: >>> >>> Hello, >>> >>> I have just upgraded from 4.16.2 to 4.17.2 all went well. >>> >>> However, probably unrelated to the upgrade, I needed to do maintenance >>> >>> on on of my Centos 7 kvm host. When I rebooted the host CloudStack agent >>> can not start, complaining about expired libvirt certificated. >>> >>> >>> I read that the certificate for libvirt of centos 7 is valid for one >>> >>> year. There is a fairly convoluted way to update them. Is there a simpler >>> way to renew the cert? >>> >>> >>> I have not rebooted my other centos 7 kvm hosts, that are likely over >>> >>> the one year mark. Can these hosts libvirt certs be upgraded simply by >>> forcing “provision host security keys“ from the webui console in the >>> infrastructure/host section since I still have cloud-agent connection? >>> >>> >>> Regards, >>> Antoine Boucher >>> >>> >>> >>> >>> >>> >>> Confidentiality Warning: This message and any attachments are intended >>> >>> only for the use of the intended recipient(s), are confidential, and may be >>> privileged. If you are not the intended recipient, you are hereby notified >>> that any review, retransmission, conversion to hard copy, copying, >>> circulation or other use of this message and any attachments is strictly >>> prohibited. If you are not the intended recipient, please notify the sender >>> immediately by return e-mail, and delete this message and any attachments >>> from your system. >>> >>> -- >>> This message is intended only for the use of the individual or entity to >>> which it is addressed and may contain confidential and/or privileged >>> information. If you are not the intended recipient, please delete the >>> original message and any copy of it from your computer system. You are >>> hereby notified that any dissemination, distribution or copying of this >>> communication is strictly prohibited unless proper authorization has been >>> obtained for such action. If you have received this communication in >>> error, >>> please notify the sender immediately. Although IndiQus attempts to sweep >>> e-mail and attachments for viruses, it does not guarantee that both are >>> virus-free and accepts no liability for any damage sustained as a result >>> of >>> viruses.
