Hi, > certificate validation value in engine-setup Do you mean expiration date on CA generated by ovirt? Then I would look at (copied from bugzila): > I found two places where the lifspan is hard coded in scripts: > /usr/share/ovirt-engine/bin/pki-enroll-openssh-cert.sh > /usr/share/ovirt-engine/bin/pki-enroll-request.sh But changing files provided by the package has its own issues.
Rerunning setup-engine does not affect guest vms. It can ask you to restart/reload ovirt-manager (to read a new cert) but it should not cause any disruption to guest vms. Only user's/admins would need to relogion to webui. On 4 November 2023 19:35:56 CET, LS CHENG <lsc.or...@gmail.com> wrote: >Hi > >I think I will stick with the default certificate 398 days rule. To renew >the certificate automatically I am thinking to write a script and >run engine-setup which will detect the certificate are close to expire such >as following > > > > > >* --== PKI CONFIGURATION ==-- One or more of the >certificates should be renewed, because they expire soon, or include an >invalid expiry date, or they were created with validity period longer than >398 days, or do not include the subjectAltName extension, which can cause >them to be rejected by recent browsers and up to date hosts. See >https://www.ovirt.org/develop/release-management/features/infra/pki-renew/ ><https://www.ovirt.org/develop/release-management/features/infra/pki-renew/> >for more details. Renew certificates? (Yes, No) [No]:* > > >However I see a couple of problems > > 1. engine-setup must be run with offline option because otherwise it > will try to update the packages which I want to avoid, when offline is used > do the VM running in the KVM hosts be stopped? Can this be done online? It > is a pain if every time I need to renew the certificates I have to stop the > entire virtualization environment. > 2. To script and run this process as a cron job can we run engine-setup > non-interactively? > > >Thanks > > > > >On Sat, Nov 4, 2023 at 6:47 PM LS CHENG <lsc.or...@gmail.com> wrote: > >> Hi >> >> Yes it is generated with engine-setup. >> >> How do you extend the certificate validation value in engine-setup? (I am >> aware that browser can have problems with long duration certificates as >> explained in >> https://techbeacon.com/security/google-apple-mozilla-enforce-1-year-max-security-certifications >> ) >> >> Thanks >> >> On Sat, Nov 4, 2023 at 6:39 PM Matej Dujava <ov...@kocurkovo.cz> wrote: >> >>> Hi, >>> >>> By self signed cert, you mean managed cert generated by ovirt itself >>> (engine-setup)? >>> >>> I found an issue https://bugzilla.redhat.com/show_bug.cgi?id=1824103 where >>> it's mentioned that safari (maybe other browsers too) have problem with >>> long self signed CA. Of it's not affecting your clients you can change >>> values and regenerate cert by engine-setup. >>> >>> You can always generate SSL cert by hand (openssl or cfssl ...) and >>> replace it with following >>> https://www.ovirt.org/documentation/administration_guide/#Replacing_the_Manager_CA_Certificate >>> . >>> >>> >>> On 4 November 2023 14:18:26 CET, LS CHENG <lsc.or...@gmail.com> wrote: >>> >>>> Hi again >>>> >>>> Forgot to mention that I am using self signed certificates >>>> >>>> Thank you >>>> >>>> >>>> >>>> On Sat, Nov 4, 2023 at 2:07 PM LS CHENG <lsc.or...@gmail.com> wrote: >>>> >>>>> Hi all >>>>> >>>>> I am running Oracle Linux Virtualization Manager 4.4. >>>>> >>>>> The default expiration length for apache.cer and websocket-proxy.cer is >>>>> 1 year, is there a way to extend them to 10 years? >>>>> >>>>> Thank you >>>>> >>>>> >>>>>
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/6DVPQZRY7XIDJ2ZSWC3FG2H7TOIKJL4T/
