Hi again, I also noticed that ca.pem was not updated -- it's still using Sha1. I don't know if this will be an issue with remote-viewer if I wind up refreshing the host cert?
-derek On Sun, December 6, 2020 7:44 am, Yedidyah Bar David wrote: > On Sun, Dec 6, 2020 at 12:34 AM Derek Atkins <de...@ihtfp.com> wrote: >> >> Hi, >> >> I've got a single-host hosted-engine deployment that I originally >> installed with 4.0 and have upgraded over the years to 4.3.10. I and >> some >> of my users have upgraded remote-viewer and now I get an error when I >> try >> to view the console of my VMs: >> >> (remote-viewer:8252): Spice-WARNING **: 11:30:41.806: >> ../subprojects/spice-common/common/ssl_verify.c:477:openssl_verify: >> Error >> in server certificate verification: CA signature digest algorithm too >> weak >> (num=68:depth0:/O=<My Org Name>/CN=<Host's Name>) >> >> I am 99.99% sure this is because the old certs use SHA1. >> >> I reran engine-setup on the engine and it asked me if I wanted to renew >> the PKI, and I answered yes. This replaced many[1] of the certificates >> in >> /etc/pki/ovirt-engine/certs on the engine, but it did not update the >> Host's certificate. > > Indeed. > >> >> All the documentation I've seen says that to refresh this certificate I >> need to put the host into maintenance mode and then re-enroll.. However >> I >> cannot do that, because this is a single-host system so I cannot put the >> host in local mode -- there is no place to migrate the VMs (let alone >> the >> Engine VM). >> >> So.... Is there a command-line way to re-enroll manually and update the >> host certs? > > I don't think you'll find anything like this. > > People did come up in the past with various procedure to hack pki like > what > you want, but these are, generally speaking, quite fragile - usually do > not > get updated over versions etc. > > I am pretty certain the only way to do this using "official" tools/docs > is: > > 1. Stop all VMs except for the engine one. > > 2. Take a backup with engine-backup. > > 3. Stop the engine VM. > > 4. Reinstall the host OS from scratch or use ovirt-hosted-engine-cleanup. > > 5. Provision the host again as a hosted-engine host, using > '--restore-from-file'. > Either using new storage for the engine, or after cleaning up the existing > hosted-engine storage. > > If you still want to try doing this manually, then the tool to use is > pki-enroll-request.sh. IIRC it's documented. You should find what > keys/certs > you want to replace, generate new keys and CSRs (or use existing keys and > generate CSRs, or even use existing CSRs if you find them), copy to the > engine, > sign with pki-enroll-request.sh, then copy the generated cert to the host. > I am > almost certain there is no way to tell vdsm (and other processes) to > reload > the certs, so you'll have to restart it (them) - and this usually > requires putting > the host in maintenance (and therefore stop (migrate) all VMs). > >> Or some other way to get all the leftover certs renewed? > > Which ones, specifically? > >> >> Thanks, >> >> -derek >> >> [1] Not only did it not update the Host's cert, it did not update any of >> the vmconsole-proxy certs, nor the certs in /etc/pki/ovirt-vmconsole/, >> and >> obviously nothing in /etc/pki/ on the host itself. > > AFAIR no process uses these certs as such. There are only processes that > use > the ssh-format keys extracted from them, which do not include a signature > (sha1 or whatever). > > If you think I am wrong, and/or notice other certs that need to be > regenerated, > that's a bug - please open one. Thanks! > > Re remote-viewer/spice: You didn't say if you tried again after > engine-setup > and what happened. In any case, this is unrelated to vmconsole (which is > for > serial consoles, using ssh). But you might still need to regenerate the > host > cert. > > BTW: You can try using novnc and websocket-proxy - engine-setup does > update > the cert for the latter, so this might work as-is. > > Best regards, > -- > Didi > > -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/UY44RUFT5MWMZ57Q4A4JWEOVPRSLBGTG/