[ovirt-users] expired cert for aaa

cmc iucounu at gmail.com
Thu Nov 24 10:47:59 UTC 2016 

Hi Yedidyah,

Attached are the setup logs, sorry for the delay. I checked all the backup
certs, and the expiry dates were either in 2021 or 2026.

Regards,

Cam

On Tue, Nov 8, 2016 at 7:25 AM, Yedidyah Bar David <didi at redhat.com> wrote:

> On Mon, Nov 7, 2016 at 9:15 PM, cmc <iucounu at gmail.com> wrote:
> > To reply to my own email:
> >
> > This is now fixed.
> >
> > I originally ran these steps for the upgrade:
> >
> > # yum install http://resources.ovirt.org/pub/yum-repo/ovirt-release40.
> rpm
> > # yum update "ovirt-engine-setup*"
> > # engine-setup
> >
> > There were no errors reported during the process. I could login as the
> > internal user without any errors. It was just using an external provider,
> > which made me think it was an aaa issue, so I looked
> > at the certificate exported from AD which had an expiry of 2063.
> >
> > I tried running engine-setup again, and this fixed the issue. I have no
> idea
> > what happened along the way, I will check the logs. I notice it reports:
> >
> > [ INFO  ] Upgrading CA
>
> engine-setup always emits this message. You might find more details in the
> setup logs regarding what it actually did.
>
> >
> > so it looks like it creates a cert. Why it would have created one with
> such
> > a short expiry date is a mystery to me.
> >
> > Hope this helps anyone who might come across this issue
>
> Thanks for the report!
>
> Can you please share both setup logs? Thanks.
>
> Also, most files should be backed up by engine-setup prior to being
> changed/removed. So you can check the backups. E.g.:
>
> # openssl x509 -in /etc/pki/ovirt-engine/ca.pem.20160120160548 -noout
> -enddate
> notAfter=May 22 07:32:23 2025 GMT
> # openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -enddate
> notAfter=Mar  6 09:46:44 2026 GMT
>
> Or,
>
> find /etc/pki/ovirt-engine -name "*.cer*" -o -name "*.pem*" | while
> read file; do echo $file $(openssl x509 -in $file -noout -enddate);
> done
>
> Best,
> --
> Didi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161124/1555f2f1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ovirt-engine-setup-20161107175104-pl7e8h.log.gz
Type: application/x-gzip
Size: 265131 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161124/1555f2f1/attachment-0002.gz>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ovirt-engine-setup-20161107190431-58glsr.log.gz
Type: application/x-gzip
Size: 256826 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161124/1555f2f1/attachment-0003.gz>

More information about the Users mailing list