Hi Didi,
One more question:
Can you verify that etc/pki/libvirt/clientcert.pem,
etc/pki/vdsm/certs/vdsmcert.pem, and
etc/pki/vdsm/libvirt-spice/server-cert.pem are all supposed to be same
certificate (on the host)? By a quick find | grep all three of these
files appear to be the <Host>.cer certificate file?
-derek
On Sun, December 6, 2020 12:25 pm, Derek Atkins wrote:
> HI,
>
> On Sun, December 6, 2020 7:44 am, Yedidyah Bar David wrote:
>> On Sun, Dec 6, 2020 at 12:34 AM Derek Atkins <de...@ihtfp.com> wrote:
> [snip]
>>> So.... Is there a command-line way to re-enroll manually and update
>>> the
>>> host certs?
>>
>> I don't think you'll find anything like this.
>>
>> People did come up in the past with various procedure to hack pki like
>> what
>> you want, but these are, generally speaking, quite fragile - usually do
>> not
>> get updated over versions etc.
>>
>> I am pretty certain the only way to do this using "official" tools/docs
>> is:
>>
>> 1. Stop all VMs except for the engine one.
>>
>> 2. Take a backup with engine-backup.
>>
>> 3. Stop the engine VM.
>>
>> 4. Reinstall the host OS from scratch or use
>> ovirt-hosted-engine-cleanup.
>>
>> 5. Provision the host again as a hosted-engine host, using
>> '--restore-from-file'.
>> Either using new storage for the engine, or after cleaning up the
>> existing
>> hosted-engine storage.
>
> If I were to go this route I might as well upgrade to EL8 / 4.4 at the
> same time. However, I would rather not do that; I consider that a very
> dangerous operation, with a generally too-high probability of failure.
>
>> If you still want to try doing this manually, then the tool to use is
>> pki-enroll-request.sh. IIRC it's documented. You should find what
>> keys/certs
>> you want to replace, generate new keys and CSRs (or use existing keys
>> and
>> generate CSRs, or even use existing CSRs if you find them), copy to the
>> engine,
>> sign with pki-enroll-request.sh, then copy the generated cert to the
>> host.
>
> Thanks. I will look into this method.
>
>> I am
>> almost certain there is no way to tell vdsm (and other processes) to
>> reload
>> the certs, so you'll have to restart it (them) - and this usually
>> requires putting
>> the host in maintenance (and therefore stop (migrate) all VMs).
>
> I don't mind stopping the VMs in order to reboot the host if I can plan
> that. My understanding is that because there is no place to migrate the
> hosted-engine, that implies even I stop all the other VMs, I still cannot
> put the host into maintenance mode. Is my understanding correct?
>
>>> Or some other way to get all the leftover certs renewed?
>>
>> Which ones, specifically?
>
> I think I listed them all: <host>*.cer and vmconsole*.cer on the engine,
> and of course everything on the host itself.
>
> Does it matter that ca.der didn't change? I don't know if that is a
> self-signed cert that might be problematic?
>
>>>
>>> Thanks,
>>>
>>> -derek
>>>
>>> [1] Not only did it not update the Host's cert, it did not update any
>>> of
>>> the vmconsole-proxy certs, nor the certs in /etc/pki/ovirt-vmconsole/,
>>> and
>>> obviously nothing in /etc/pki/ on the host itself.
>>
>> AFAIR no process uses these certs as such. There are only processes that
>> use
>> the ssh-format keys extracted from them, which do not include a
>> signature
>> (sha1 or whatever).
>>
>> If you think I am wrong, and/or notice other certs that need to be
>> regenerated,
>> that's a bug - please open one. Thanks!
>
> I have not noticed anything, yet, but I have not restarted the host or
> vdsm since I re-ran engine-setup.
>
>> Re remote-viewer/spice: You didn't say if you tried again after
>> engine-setup
>> and what happened. In any case, this is unrelated to vmconsole (which is
>> for
>> serial consoles, using ssh). But you might still need to regenerate the
>> host
>> cert.
>
> Sorry, I thought I did. Yes, I did try re-running remote-viewer after
> running engine-setup. There was no change in the console.vv file (except
> of course for the password and sso-token), so yes, it failed in the same
> way.
>
> Note, however, that I did not restart vdsm or the host after running
> engine-setup.
>
>> BTW: You can try using novnc and websocket-proxy - engine-setup does
>> update
>> the cert for the latter, so this might work as-is.
>
> Yes, that does work indeed, so as a short-term solution that can work for
> me. I'll ask my colleague on a Mac if that works for him.
>
> But it would be nice to get remote-viewer working, IMHO, which would
> require a way to renew / refresh the host cert -- which of course would be
> nice to do without having to re-install!
>
> Thanks!!!
>
>> Best regards,
>> --
>> Didi
>
> -derek
>
> --
> Derek Atkins 617-623-3745
> de...@ihtfp.com www.ihtfp.com
> Computer and Internet Security Consultant
>
>
--
Derek Atkins 617-623-3745
de...@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/X2FDHYM7ZRSIM3VWPFJWKPO2SHSLWNBV/
