On Tue, Jun 25, 2019 at 8:37 PM Stefano Danzi <s.da...@hawai.it> wrote: > > Il 25/06/2019 14:26, Stefano Danzi ha scritto: > > > >>> I don't remember to ever seen a question about this during > >>> engine-setup, > >>> but it could be. > >>> In /etc/pki/vdsm/certs/ I can see an old cert and ca with subjet: > >>> > >>> [root@ovirt01 ~]# su - vdsm -s /bin/bash -c 'openssl x509 -in > >>> /etc/pki/vdsm/certs/cacert.pem.20150205093608 -text' > >>> Certificate: > >>> Data: > >>> Version: 3 (0x2) > >>> Serial Number: 1423056193 (0x54d21d41) > >>> Signature Algorithm: sha256WithRSAEncryption > >>> Issuer: CN=VDSM Certificate Authority > >>> Validity > >>> Not Before: Feb 4 13:23:13 2015 GMT > >>> Not After : Feb 4 13:23:13 2016 GMT > >>> Subject: CN=VDSM Certificate Authority > >>> Subject Public Key Info: > >>> > >>> [CUT] > >>> > >>> [root@ovirt01 ~]# su - vdsm -s /bin/bash -c 'openssl x509 -in > >>> /etc/pki/vdsm/certs/vdsmcert.pem.20150205093609 -text' > >>> Certificate: > >>> Data: > >>> Version: 3 (0x2) > >>> Serial Number: 1423056193 (0x54d21d41) > >>> Signature Algorithm: sha256WithRSAEncryption > >>> Issuer: CN=VDSM Certificate Authority > >>> Validity > >>> Not Before: Feb 4 13:23:13 2015 GMT > >>> Not After : Feb 4 13:23:13 2016 GMT > >>> Subject: CN=ovirt01.hawai.lan, O=VDSM Certificate > >>> Subject Public Key Info: > >>> Public Key Algorithm: rsaEncryption > >>> > >>> > >>> I think that was certs made during first hosted engine installation. > >>> Could it work if I manually create certs like this? > >>> Just to start libvirtd, vdsm and hosted-engine. > >> I think it's worth a try. Just create a self-signed CA, a keypair > >> signed by it, and place them correctly, should work. > >> > >> The engine won't be able to talk with the host, but you can then more > >> easily reinstall/re-enroll-certs. > >> > >> Good luck, > > This workaround works! > > I have hosted engine running! > > > > So I have to find how reinstall/re-enroll-certs on host. From engine > > UI host status is "NonResponsive" and I can't do nothing.... > > _______________________________________________ > > Status: > > now Host status is "Unassiged". Engine can't reach host for "General > SSLEngine problem" and It's ok because certs are "home made". > I can't switch host to maintenance because it's not operational. > I can't enroll certificate because is not in maintenance status.
You can try to remove it. I think we do not support "force-remove" despite being asked about this occasionally, because generally-speaking, this is very unsafe. If you insist, you can try using the sql function DeleteVds to delete it from the database. > > hou I can enroll host cert manually? You can try following what I wrote in "2. Try to manually fix" before. Create a CSR on the host (with whatever private key you want), copy it to engine, pki-enroll-request, copy the cert to host. Good luck and best regards, -- Didi _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/RUHRDGOBWLRPBAN7I6EIO6J3EI44RCGP/