On Wed, Jul 20, 2016 at 6:18 PM, Nicolás <nico...@devels.es> wrote: > > > El 20/07/16 a las 16:45, Martin Perina escribió: > > > > On Wed, Jul 20, 2016 at 4:44 PM, Nicolás <nico...@devels.es> wrote: > >> Hi Martin, >> >> Actually, up until now we had that cert configured in httpd and in >> websocket proxy. Seems that now in 4.0.x it's not enough, as opening the >> https://fqdn complains about the cert not being imported in the key >> chain. >> > > Yes, there's an updated procedure on using external CA in 4.0, for > details please take a look at Doc Text in > > https://bugzilla.redhat.com/show_bug.cgi?id=1336838 > > > >> So I imported it via keytool, but I don't want to use it in the engine >> <-> VDSM communication. >> > > Hmm, so that would imply that we have some issue with existing internal > enigne CA during upgrade ... > The strange thing is that we test upgrades a lot but so far we haven't > seen any issues which will broke > SSL setup between engine and VDSM. You said that you had to downgrade back > to 3.6.7 (so unfortunately for us we cannot investigate your nonworking > setup more), but how did you do that? > Removing all engine packages and configuration, installing back 3.6.7 > packaging and restoring configuration form backup? > I'm asking to know what changed in your setup between not working 4.0 and > working 3.6.7 ... > > > Indeed, those are the steps I followed to the point. > > To add more strangeness, previously to upgrading this oVirt > infrastructure, we upgraded another one that we have (also using own cert, > a different one but from the same CA) and everything went smoothly. And > what's more, previously to upgrading the engine that failed, I created a > copy of that engine machine in a sandbox environment to see if upgrade > process would or not success, and it worked perfectly. > > The only difference between the sandbox and the real machine's process was > that when upgrading the real one, the first time I run "engine-setup" it > failed because 'systemd' reported PostgreSQL as it was not running > (actually it was, thougg), so everything rolled back. I had to kill the > PostgreSQL process, start it again with systemctl and then run > "engine-setup", where the process completed successfully but the SSL issue > appeared. Not sure if this rollback could have shattered the whole thing... > > Anyhow, tomorrow I'm going to create another copy of the engine machine to > a sandbox environment and try again. If it works I'll cross my fingers and > give another try on the real machine... > > Thanks! >
Thanks a lot for you effort. I will try to perform same upgrade tomorrow in my test env. > > Thanks > > Martin > > >> Thanks! >> En 20/7/2016 2:48 p. m., Martin Perina <mper...@redhat.com> escribió: >> >> Hi, >> >> sorry for late response, I overlook your reply :-( >> >> I looked at your logs and it seems to me that there's SSL error when >> engine tries to contact VDSM. >> You have mentioned that your are using your own custom CA. Are you >> using it only for HTTPS certificate or do you want to use it also for >> Engine <-> VDSM communication? >> >> Martin Perina >> >> >> On Wed, Jul 20, 2016 at 9:18 AM, <nico...@devels.es> wrote: >> >>> Any hints about this? >>> >>> El 2016-07-13 11:13, nico...@devels.es escribió: >>> >>>> Hi, >>>> >>>> Unfortunately, upgrading to 4.0.1RC didn't solve the problem. >>>> Actually, the error changed to 'General SSLEngine problem', but the >>>> result was the same, like this: >>>> >>>> 2016-07-13 09:52:22,010 INFO >>>> [org.ovirt.vdsm.jsonrpc.client.reactors.ReactorClient] (SSL Stomp >>>> Reactor) [] Connecting to /10.X.X.X >>>> 2016-07-13 09:52:22,018 ERROR >>>> [org.ovirt.vdsm.jsonrpc.client.reactors.Reactor] (SSL Stomp Reactor) >>>> [] Unable to process messages: General SSLEngine problem >>>> >>>> It's worth mentioning that we're using our own SSL certificates (not >>>> self-signed), and I imported the combined certificate into the >>>> /etc/pki/ovirt-engine/.truststore key file. Not sure if related, but >>>> just in case. >>>> >>> >>>> I had to downgrade to 3.6.7. I'm attaching requested logs, if you need >>>> anything else don't hesitate to ask. >>>> >>>> Regards. >>>> >>>> El 2016-07-13 09:45, Martin Perina escribió: >>>> >>>>> Hi, >>>>> >>>>> could you please share also vdsm.log from your hosts and also >>>>> server.log and setup logs from /var/log/ovirt-engine/setup directory? >>>>> >>>>> Thanks >>>>> >>>>> Martin Perina >>>>> >>>>> On Wed, Jul 13, 2016 at 10:36 AM, <nico...@devels.es> wrote: >>>>> >>>>> Hi, >>>>>> >>>>>> We upgraded from 3.6.6 to 4.0.0 and we have a big issue since the >>>>>> engine cannot connect to hosts. In the logs all we see is this >>>>>> error: >>>>>> >>>>>> ERROR [org.ovirt.vdsm.jsonrpc.client.reactors.Reactor] (SSL >>>>>> Stomp Reactor) [] Unable to process messages >>>>>> >>>>>> I'm attaching full logs. >>>>>> >>>>>> Could someone help please? >>>>>> >>>>>> Thanks. >>>>>> _______________________________________________ >>>>>> Users mailing list >>>>>> Users@ovirt.org >>>>>> http://lists.ovirt.org/mailman/listinfo/users [1] >>>>>> >>>>> >>>>> >>>>> >>>>> Links: >>>>> ------ >>>>> [1] http://lists.ovirt.org/mailman/listinfo/users >>>>> >>>> >>>> _______________________________________________ >>>> Users mailing list >>>> Users@ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users >>>> >>> >> > >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users