I have oVirt cluster with 25 hypervisors that has been running fine for a
couple of years and today all of a sudden engine was getting ssl errors
talking to the hypervisors. Error  in engine.log is:

2022-10-10 16:20:23,562-05 ERROR
(EE-ManagedThreadFactory-engineScheduled-Thread-47) [] Unable to
RefreshCapabilities: VDSNetworkException: VDSGenericException:
VDSNetworkException: Received fatal alert: unknown_ca

Certificates don't seem expired and I ran the command:

openssl x509 -noout -in /etc/pki/ovirt-engine/ca.pem -fingerprint

openssl x509 -noout -in /etc/pki/vdsm/certs/cacert.pem -fingerprint
# openssl x509 -noout -in /etc/pki/vdsm/libvirt-spice/ca-cert.pem -fingerprint
# openssl x509 -noout -in /etc/pki/vdsm/libvirt-vnc/ca-cert.pem -fingerprint
# openssl x509 -noout -in /etc/pki/CA/cacert.pem -fingerprint

Those commands show that the fingerprints are the same.

openssl verify -CAfile /etc/pki/ovirt-engine/ca.pem
# openssl verify -CAfile /etc/pki/ovirt-engine/ca.pem
# openssl verify -CAfile /etc/pki/ovirt-engine/ca.pem
# openssl verify -CAfile /etc/pki/ovirt-engine/ca.pem
# openssl verify -CAfile /etc/pki/ovirt-engine/ca.pem
# openssl verify -CAfile /etc/pki/ovirt-engine/ca.pem

These verification commands come back as OK. I am having trouble
finding my problem. Does anyone have any suggestions? I am not finding
any hits on google and unknown_ca.

Also the vdsm log on hypervisors has this:

2022-10-10 15:54:42,843-0500 ERROR (Reactor thread)
[ProtocolDetector.SSLHandshakeDispatcher] ssl handshake: SSLError,
address: ::ffff: (sslutils:263)


Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
List Archives: 

Reply via email to