[ovirt-users] Re: VDSM certs expired, manual renewal not working

Thu, 09 Mar 2023 22:07:06 -0800

To continue the troubleshooting, I believe there is mutual SSL between ovirt-engine and host so I think what I am missing is to put this new cert for ovirt-engine to use it as client cert auth.
But where to put it? I noticed that generating the cert does not put it in /etc/pki/ovirt-engine/certs altho I am not sure if that is significant or not. 


I tried to manually replace the cert there named hostname.cer but it 
doesn't do anything.


Where do host certs need to be stored on the ovirt-engine side?



I also updated the libvirt-migrate cert which has it's own key and 
different CA but that didn't make a difference.



Best regards


On 10/03/2023 05:13, cen wrote:

Hi


Our VDSM certs have expired, both hosts are unassigned and can't be 
put into maintenance from UI.



vdsm-client is not working, times out even with --insecure flag. Does 
host and port need to be specified when run locally or should defaults 
work?




Error in console events is: Get Host Capabilities Failed: PKIX path 
validation failed...




I followed a RHV guide for this exact situation and generated new vdsm 
certificate using the ovirt-engine CA.



The new cert seems identical to the old one, everything matches 
(algos, extensions, CA, CN, SAN etc) just new date.




After restarting libvirtd and vdsmd on the host with new cert in place 
the host is still not reachable.


However, error message is now slightly different:

get Host Capabilities failed: Received fatal error: certificate_expired


Cert was replaced in the following locations:

/etc/pki/vdsm/certs/vdsmcert.pem

/etc/pki/vdsm/libvirt-spice/server-cert.pem

/etc/pki/libvirt/clientcert.pem


Is there another location missing? What else can I try?


All help appreciated in advance


_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/HLYWZLI6OZ5CEY2WDQS5E6YKYJWZQS2F/






















					Reply via email to