On Thu, Jan 13, 2022 at 4:53 PM Sandro Bonazzola <sbona...@redhat.com> wrote:
> > > Il giorno gio 13 gen 2022 alle ore 15:34 Konstantin Shalygin < > k0...@k0ste.ru> ha scritto: > >> > It's possible to get, may be from Postgres, the host certificate date? >> > Engine run this check sometimes, but trigger this check seems impossible >> >> Anybody? >> @Sandro please help >> >> engine make check once per day and print to logs >> How can we run a manual check or see info in PostgreSQL database? This is >> required because the days until the end of the certificate's life expire, >> waiting for the next day in order to understand the result of deploying a >> new certificate is a strange situation >> > > Maybe @Martin Perina <mper...@redhat.com> can assist? > > Hi, host certificates are not saved anywhere in the engine database, you need to go to the host itself to find out the expiration date. There are 2 options: 1. Directly on the host after connecting via SSH you can run below # openssl x509 -text -noout -in /etc/pki/vdsm/certs/vdsmcert.pem | grep -A2 Validity 2. Remotely using openssl you can run below # openssl s_client -showcerts -connect <HOST FQDN>:54321 | openssl x509 -text -noout | grep -A2 Validity ovirt-engine performs certificate checks every day (can be configured using engine-config option CertificationValidityCheckTimeInHours) and it checks not only hosts certificates, but also the engine certificate and the engine CA certificate. This check produces following records in ovirt-engine audit log: 1. If the certificate has already expired then below audit log ALERT is created depending on the type of certificate - *Host ${VdsName} certification has expired at ${ExpirationDate}. Please renew the host's certification.* - *Engine's certification has expired at ${ExpirationDate}. Please renew the engine's certification.* - *Engine's CA certification has expired at ${ExpirationDate}.* 2. If the certificate is going to expire in less than 7 days, then below audit log ALERT is created depending on the type of certificate - *Host ${VdsName} certification is about to expire at ${ExpirationDate}. Please renew the host's certification.* - *Engine's certification is about to expire at ${ExpirationDate}. Please renew the engine's certification.* - *Engine's CA certification is about to expire at ${ExpirationDate}.* 3. If the certificate is going to expire in less than 30 days, then below audit log WARNING is created depending on the type of certificate - *Host ${VdsName} certification is about to expire at ${ExpirationDate}. Please renew the host's certification.* - *Engine's certification is about to expire at ${ExpirationDate}. Please renew the engine's certification.* - *Engine's CA certification is about to expire at ${ExpirationDate}.* Regards, Martin > >> >> >> Thanks, >> k >> _______________________________________________ >> Users mailing list -- users@ovirt.org >> To unsubscribe send an email to users-le...@ovirt.org >> Privacy Statement: https://www.ovirt.org/privacy-policy.html >> oVirt Code of Conduct: >> https://www.ovirt.org/community/about/community-guidelines/ >> List Archives: >> https://lists.ovirt.org/archives/list/users@ovirt.org/message/3WK5CJYL3PXXCJJQKLEQCQJG5X2YA3XV/ >> > > > -- > > Sandro Bonazzola > > MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV > > Red Hat EMEA <https://www.redhat.com/> > > sbona...@redhat.com > <https://www.redhat.com/> > > *Red Hat respects your work life balance. Therefore there is no need to > answer this email out of your office hours.* > > > -- Martin Perina Manager, Software Engineering Red Hat Czech s.r.o.
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/TMJVAJMH5MKUVRTSZG2BB46QKXYI6M2D/