For newer ACS version the Libvirt certificate is same as used by the CloudStack agent on the kvm host. The global setting values you configure and as you run the provision certificate API will generate certificate and provision then to the KVM host for use by both libvirt and CloudStack agent.
Regards. ________________________________ From: Antoine Boucher <antoi...@haltondc.com> Sent: Tuesday, February 21, 2023 10:48:58 AM To: users <users@cloudstack.apache.org> Subject: Re: Expired Libvirt certificate on CentOS 7 KVM host. My ca.framework.cert.validity.period is set to 365 days. If assume that the Libvirt certificate expires in a year should I set ca.framework.cert.validity.period to be less than 365, say 360? Regards, Antoine > On Feb 20, 2023, at 11:54 PM, Rohit Yadav <rohit.ya...@shapeblue.com> wrote: > > You can configure them using the available global settings > ca.framework.cert.validity.period > > By default the auto renewal is set to true. Read more here > https://www.shapeblue.com/cloudstack-ca-framework/ > and > http://docs.cloudstack.apache.org/en/latest/adminguide/hosts.html#security > > Regards. > > Regards. > ________________________________ > From: Antoine Boucher <antoi...@haltondc.com <mailto:antoi...@haltondc.com>> > Sent: Tuesday, February 21, 2023 7:45:55 AM > To: users <users@cloudstack.apache.org <mailto:users@cloudstack.apache.org>> > Subject: Re: Expired Libvirt certificate on CentOS 7 KVM host. > > Excellent Wei, > > I set listen_tls to 0, started Libirtd and cloudstack-agent. The host > connected as unsecured, I did a “Provision Host Security Keys” and all is > well. > > Thanks again, > Antoine > > > Confidentiality Warning: This message and any attachments are intended only > for the use of the intended recipient(s), are confidential, and may be > privileged. If you are not the intended recipient, you are hereby notified > that any review, retransmission, conversion to hard copy, copying, > circulation or other use of this message and any attachments is strictly > prohibited. If you are not the intended recipient, please notify the sender > immediately by return e-mail, and delete this message and any attachments > from your system. > > > > > >> On Feb 20, 2023, at 4:03 PM, Wei ZHOU <ustcweiz...@gmail.com> wrote: >> >> You can refer to this code block >> >> https://github.com/apache/cloudstack/blob/main/scripts/util/keystore-setup#L54-L61 >> >> >> if [ -f "$LIBVIRTD_FILE" ]; then >> echo "Reverting libvirtd to not listen on TLS" >> sed -i "s,^listen_tls=1,listen_tls=0,g" $LIBVIRTD_FILE >> systemctl restart libvirtd >> fi >> >> echo "Removing cloud.* files in /etc/cloudstack/agent" >> rm -f /etc/cloudstack/agent/cloud.* >> >> >> -Wei >> >> >> On Monday, 20 February 2023, Antoine Boucher <antoi...@haltondc.com> wrote: >> >>> Thank you Wei, >>> >>> My ca.plugin.root.auth.strictness was already set to false >>> >>> The cloud-stack agent refused to run because Libvirt is not running >>> because of the expired Libvirt certs. >>> >>> Is there a way to turn off the secure connection requirement on libbvirt. >>> Or at least to allow to connect and renew vie the WebUI and the turn it >>> back on? >>> >>> Regards, >>> Antoine >>> >>> >>> >>> *Antoine Boucher* >>> antoi...@haltondc.com >>> [o] +1-226-505-9734 >>> www.haltondc.com<http://www.haltondc.com> >>> <http://www.haltondc.com/><http://www.haltondc.com >>> <http://www.haltondc.com/>> >>> >>> “Data security made simple” >>> >>> >>> [image: HDClogo7-small.png] >>> >>> >>> Confidentiality Warning: This message and any attachments are intended >>> only for the use of the intended recipient(s), are confidential, and may be >>> privileged. If you are not the intended recipient, you are hereby notified >>> that any review, retransmission, conversion to hard copy, >>> copying, circulation or other use of this message and any attachments is >>> strictly prohibited. If you are not the intended recipient, please notify >>> the sender immediately by return e-mail, and delete this message and any >>> attachments from your system. >>> >>> >>> On Feb 20, 2023, at 2:24 PM, Wei ZHOU <ustcweiz...@gmail.com> wrote: >>> >>> Agree. >>> >>> For the cloudstack agent which can not be started, update global setting >>> `ca.plugin.root.auth.strictness` to `false` and retry. >>> >>> -Wei >>> >>> On Mon, 20 Feb 2023 at 20:21, Aditya Sharma >>> <aditya.sha...@indiqus.com.invalid> wrote: >>> >>> >>> Hello, >>> >>> Yes it can be done simply by forcing “provision host security keys“ from >>> the Web UI. >>> >>> Regards, >>> Aditya Sharma >>> >>> On 21-Feb-2023, at 00:01, Antoine Boucher <antoi...@haltondc.com> wrote: >>> >>> Hello, >>> >>> I have just upgraded from 4.16.2 to 4.17.2 all went well. >>> >>> However, probably unrelated to the upgrade, I needed to do maintenance >>> >>> on on of my Centos 7 kvm host. When I rebooted the host CloudStack agent >>> can not start, complaining about expired libvirt certificated. >>> >>> >>> I read that the certificate for libvirt of centos 7 is valid for one >>> >>> year. There is a fairly convoluted way to update them. Is there a simpler >>> way to renew the cert? >>> >>> >>> I have not rebooted my other centos 7 kvm hosts, that are likely over >>> >>> the one year mark. Can these hosts libvirt certs be upgraded simply by >>> forcing “provision host security keys“ from the webui console in the >>> infrastructure/host section since I still have cloud-agent connection? >>> >>> >>> Regards, >>> Antoine Boucher >>> >>> >>> >>> >>> >>> >>> Confidentiality Warning: This message and any attachments are intended >>> >>> only for the use of the intended recipient(s), are confidential, and may be >>> privileged. If you are not the intended recipient, you are hereby notified >>> that any review, retransmission, conversion to hard copy, copying, >>> circulation or other use of this message and any attachments is strictly >>> prohibited. If you are not the intended recipient, please notify the sender >>> immediately by return e-mail, and delete this message and any attachments >>> from your system. >>> >>> -- >>> This message is intended only for the use of the individual or entity to >>> which it is addressed and may contain confidential and/or privileged >>> information. If you are not the intended recipient, please delete the >>> original message and any copy of it from your computer system. You are >>> hereby notified that any dissemination, distribution or copying of this >>> communication is strictly prohibited unless proper authorization has been >>> obtained for such action. If you have received this communication in >>> error, >>> please notify the sender immediately. Although IndiQus attempts to sweep >>> e-mail and attachments for viruses, it does not guarantee that both are >>> virus-free and accepts no liability for any damage sustained as a result >>> of >>> viruses.
