Hi Didi, One more question:
Can you verify that etc/pki/libvirt/clientcert.pem, etc/pki/vdsm/certs/vdsmcert.pem, and etc/pki/vdsm/libvirt-spice/server-cert.pem are all supposed to be same certificate (on the host)? By a quick find | grep all three of these files appear to be the <Host>.cer certificate file? -derek On Sun, December 6, 2020 12:25 pm, Derek Atkins wrote: > HI, > > On Sun, December 6, 2020 7:44 am, Yedidyah Bar David wrote: >> On Sun, Dec 6, 2020 at 12:34 AM Derek Atkins <de...@ihtfp.com> wrote: > [snip] >>> So.... Is there a command-line way to re-enroll manually and update >>> the >>> host certs? >> >> I don't think you'll find anything like this. >> >> People did come up in the past with various procedure to hack pki like >> what >> you want, but these are, generally speaking, quite fragile - usually do >> not >> get updated over versions etc. >> >> I am pretty certain the only way to do this using "official" tools/docs >> is: >> >> 1. Stop all VMs except for the engine one. >> >> 2. Take a backup with engine-backup. >> >> 3. Stop the engine VM. >> >> 4. Reinstall the host OS from scratch or use >> ovirt-hosted-engine-cleanup. >> >> 5. Provision the host again as a hosted-engine host, using >> '--restore-from-file'. >> Either using new storage for the engine, or after cleaning up the >> existing >> hosted-engine storage. > > If I were to go this route I might as well upgrade to EL8 / 4.4 at the > same time. However, I would rather not do that; I consider that a very > dangerous operation, with a generally too-high probability of failure. > >> If you still want to try doing this manually, then the tool to use is >> pki-enroll-request.sh. IIRC it's documented. You should find what >> keys/certs >> you want to replace, generate new keys and CSRs (or use existing keys >> and >> generate CSRs, or even use existing CSRs if you find them), copy to the >> engine, >> sign with pki-enroll-request.sh, then copy the generated cert to the >> host. > > Thanks. I will look into this method. > >> I am >> almost certain there is no way to tell vdsm (and other processes) to >> reload >> the certs, so you'll have to restart it (them) - and this usually >> requires putting >> the host in maintenance (and therefore stop (migrate) all VMs). > > I don't mind stopping the VMs in order to reboot the host if I can plan > that. My understanding is that because there is no place to migrate the > hosted-engine, that implies even I stop all the other VMs, I still cannot > put the host into maintenance mode. Is my understanding correct? > >>> Or some other way to get all the leftover certs renewed? >> >> Which ones, specifically? > > I think I listed them all: <host>*.cer and vmconsole*.cer on the engine, > and of course everything on the host itself. > > Does it matter that ca.der didn't change? I don't know if that is a > self-signed cert that might be problematic? > >>> >>> Thanks, >>> >>> -derek >>> >>> [1] Not only did it not update the Host's cert, it did not update any >>> of >>> the vmconsole-proxy certs, nor the certs in /etc/pki/ovirt-vmconsole/, >>> and >>> obviously nothing in /etc/pki/ on the host itself. >> >> AFAIR no process uses these certs as such. There are only processes that >> use >> the ssh-format keys extracted from them, which do not include a >> signature >> (sha1 or whatever). >> >> If you think I am wrong, and/or notice other certs that need to be >> regenerated, >> that's a bug - please open one. Thanks! > > I have not noticed anything, yet, but I have not restarted the host or > vdsm since I re-ran engine-setup. > >> Re remote-viewer/spice: You didn't say if you tried again after >> engine-setup >> and what happened. In any case, this is unrelated to vmconsole (which is >> for >> serial consoles, using ssh). But you might still need to regenerate the >> host >> cert. > > Sorry, I thought I did. Yes, I did try re-running remote-viewer after > running engine-setup. There was no change in the console.vv file (except > of course for the password and sso-token), so yes, it failed in the same > way. > > Note, however, that I did not restart vdsm or the host after running > engine-setup. > >> BTW: You can try using novnc and websocket-proxy - engine-setup does >> update >> the cert for the latter, so this might work as-is. > > Yes, that does work indeed, so as a short-term solution that can work for > me. I'll ask my colleague on a Mac if that works for him. > > But it would be nice to get remote-viewer working, IMHO, which would > require a way to renew / refresh the host cert -- which of course would be > nice to do without having to re-install! > > Thanks!!! > >> Best regards, >> -- >> Didi > > -derek > > -- > Derek Atkins 617-623-3745 > de...@ihtfp.com www.ihtfp.com > Computer and Internet Security Consultant > > -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/X2FDHYM7ZRSIM3VWPFJWKPO2SHSLWNBV/