[ovirt-users] Re: Certificate expiration w/o warning on engine / nodes. Update: Engine running, can't talk to nodes.

Mon, 26 Dec 2022 19:29:07 -0800 

No worries, we call came across this issue.  As long as the hosted engine is 
running is Gluster, you can shutdown and bring up in any other nodes. Now in 
order for you to bring the node up in the cluster, you will have to manually 
replace the vdsm cert in each nodes, follow by re-enroll the certificate

the steps are 

# To check CERT expired
# openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem -noout -dates

1. Backup vdsm folder
    # cd /etc/pki
    # mv vdsm vdsm.orig
    # mkdir vdsm   ; chown vdsm:kvm vdsm
    # cd vdsm
    # mkdir libvirt-vnc certs keys libvirt-spice libvirt-migrate
    # chown vdsm:kvm  libvirt-vnc certs keys libvirt-spice libvirt-migrate

2. Regenerate cert & keys
    # vdsm-tool configure --module certificates

3. Copy the cert to destination location
    chmod 440 /etc/pki/vdsm/keys/vdsmkey.pem
    chown root /etc/pki/vdsmcerts/*pem
    chmod 644 /etc/pki/vdsmcerts/*pem

    cp /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-spice/ca-cert.pem
    cp /etc/pki/vdsm/keys/vdsmkey.pem /etc/pki/vdsm/libvirt-spice/server-key.pem
    cp /etc/pki/vdsm/certs/vdsmcert.pem 
/etc/pki/vdsm/libvirt-spice/server-cert.pem

    cp /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-vnc/ca-cert.pem
    cp /etc/pki/vdsm/keys/vdsmkey.pem /etc/pki/vdsm/libvirt-vnc/server-key.pem  
    cp /etc/pki/vdsm/certs/vdsmcert.pem 
/etc/pki/vdsm/libvirt-vnc/server-cert.pem

    cp -p /etc/pki/vdsm/certs/cacert.pem 
/etc/pki/vdsm/libvirt-migrate/ca-cert.pem
    cp -p /etc/pki/vdsm/keys/vdsmkey.pem 
/etc/pki/vdsm/libvirt-migrate/server-key.pem
    cp -p /etc/pki/vdsm/certs/vdsmcert.pem 
/etc/pki/vdsm/libvirt-migrate/server-cert.pem

    chown root:qemu /etc/pki/vdsm/libvirt-migrate/server-key.pem

    cp -p /etc/pki/vdsm.orig/keys/libvirt_password /etc/pki/vdsm/keys/

    mv /etc/pki/libvirt/clientcert.pem /etc/pki/libvirt/clientcert.pem.orig
    mv /etc/pki/libvirt/private/clientkey.pem 
/etc/pki/libvirt/private/clientkey.pem.orig
    mv /etc/pki/CA/cacert.pem /etc/pki/CA/cacert.pem.orig
 
    cp -p /etc/pki/vdsm/certs/vdsmcert.pem /etc/pki/libvirt/clientcert.pem
    cp -p /etc/pki/vdsm/keys/vdsmkey.pem /etc/pki/libvirt/private/clientkey.pem
    cp -p /etc/pki/vdsm/certs/cacert.pem /etc/pki/CA/cacert.pem


3. cross check the backup folder /etc/pki/vdsm.orig vs /etc/pki/vdsm
     # refer to /etc/pki/vdsm.orig/*/ and set the correct owner & group 
permission in /etc/pki/vdsm/*/

4. restart services # Make sure both services are up
    systemctl restart vdsmd libvirtd

5. reboot the node and confirm the host has been rebooted manually, and put the 
host in maintenance mode 

6. enroll certificate. (DO NOT re-install), exit the maintenance mode


Cheers from Singapore.
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/XWS5LKNFTLH2A4ZJFOJFCW6ZZ6QBMNTS/

Reply via email to