Le 03/09/2020 à 15:49, Martin Perina a écrit : > > > On Thu, Sep 3, 2020 at 2:56 PM Pierre pit <[email protected] > <mailto:[email protected]>> wrote: > > I have a communication problem between all the nodes and the > manager following the upgrade from 4.3 to 4.4. I followed the > procedure of update 4.3 to 4.4 everything worked correctly, > according to the import export scripts as well as the installation > setup on the new manager in 4.4, all is ok. Only after connection > to the manager, all the nodes are in a down state, there is no > more communication between the manager newly installed in 4.4 and > the nodes still in production in 4.3. > > In the manager I have this message for all the nodes: > ` VDSM virtdell8 command Get Host Capabilities failed: PKIX path > validation failed: java.security.cert.CertPathValidatorException: > Algorithm constraints check failed on signature algorithm: > SHA256withRSA` > > > Hi Pierre, > > Hmm, the following error is a bit misleading, but it gives a clue to > me. Could you please check the key size of your ovirt-engine CA key? > > openssl x509 -text -noout -in /etc/pki/ovirt-engine/ca.pem | grep 'RSA > Public-Key'
Hi Martin, Thank you very much for your answer. indeed the size of the key is 1024 bits. I made the command "update-crypto-policies --set LEGACY" (I don't know this command) Everything is ok now. thank you very much for your expertise. \o/ > > If your key size is less than 2048 bits, then you need to change > crypto policy of your CentOS 8 to LEGACY using below steps: > > 1. Execute 'update-crypto-policies --set LEGACY' > 2. Reboot the machine > > That should mitigate the issue, but I'm really curious, this should > not happen unless your engine was installed in oVirt 3.0 era and then > continuously upgraded up to 4.4, because we have switched to 2048 bits > in 2012: It has actually been a long time since I upgrade ovirt from version to version. i had some mishaps with ovirt 2.2 and it seems to me since ovirt 3.0 the upgrade is done regularly. > > https://gerrit.ovirt.org/4389 > > Is this your case? > no, is not me again thanks for your reply i could not find it all alone. Regards, Pierre > > Regards, > Martin > > > And on the nodes: > ` 2020-09-01 17:38:13,083+0200 ERROR (Reactor thread) > [ProtocolDetector.SSLHandshakeDispatcher] ssl handshake: SSLError, > address: ::ffff:XXX.XXX.XXX.XXX (sslutils:264) > vdsm[4400]: ERROR ssl handshake: SSLError, address: > ::ffff:XXX.XXX.XXX.XXX` > > After a search on the forums I found a similar error on version > 4.2 only the solution of comment `ssl_excludes` in the > `/etc/vdsm/vdsm.conf` file but does not apply to my problem. > > I unfortunately had to backtrack because it was no longer possible > to control ovirt and use the manager for our production. the new > machine with the manager in 4.4 is offline while a solution is found > > Do you know where should I look in order to solve this problem? > > thank you in advance > Pierre > _______________________________________________ > Users mailing list -- [email protected] <mailto:[email protected]> > To unsubscribe send an email to [email protected] > <mailto:[email protected]> > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > > https://lists.ovirt.org/archives/list/[email protected]/message/CE34HLTRN54HVOJNK3ZCNXH66CIYFSQS/ > > > > -- > Martin Perina > Manager, Software Engineering > Red Hat Czech s.r.o.
_______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/BGPZHSLNRLIA5JQU2BDX2PFWADAHDVOP/
