[ovirt-users] oVirt management has lost its SSL.

Alexander Wels awels at redhat.com
Fri Nov 3 17:23:34 UTC 2017 

On Friday, November 3, 2017 1:15:27 PM EDT ~Stack~ wrote:
> Greetings,
> 
> I'm seriously just grasping at straws here. I took a spare hard drive,
> tossed it in the management host, and did a fresh install. It did not
> like me trying to add it into the existing infrastructure. Tried to dump
> the DB from the old to the new, update the passwords, and pretty much
> ended up in the same place.
> 
> I did check the .trustedkeystore and it has the same 1 key as my
> original back up. So that isn't the issue.
> 
> Still poking at it. Would love some thoughts/feedback.
> 
> Thanks!
> ~Stack~
> 

Running engine-setup on the engine machine should re-generate the keys.

> On 11/03/2017 09:30 AM, ~Stack~ wrote:
> > Greetings,
> > 
> > Please, I would greatly appreciate some help/feedback. I'm not sure what
> > else to do.
> > 
> > I reverted the .trustedstore to the only backup I have, and there is one
> > key in it. That too gets flagged by oVirt as having been tampered with
> > (I'm guessing oVirt added something that isn't there any more). The
> > password is correct as I can verify it from the oVirt config file on the
> > command line.
> > 
> > I'm out of ideas on fixing this. What happens to my oVirt hypervisors
> > and VM's if I rebuild the management engine host from scratch?
> > 
> > Thanks!
> > ~Stack~
> > 
> > On 11/02/2017 04:18 PM, ~Stack~ wrote:
> >> Greetings,
> >> 
> >> OS: Scientific Linux 7.4
> >> oVirt: 4.1
> >> Everything fully updated.
> >> 
> >> Everything was working great. I received my new network card today to
> >> upgrade my ovirt management node (physical node; not self-hosted), took
> >> the machine down, swapped the card, and brought it up to many many
> >> errors.
> >> 
> >> Here's the basic break-down of my discoveries.
> >> 
> >> 1) My /etc/pki/ovirt-engine/.trustedstore was corrupt. I had lots of
> >> messages in my engine.log about it being corrupt. Restored from backup,
> >> and oVirt engine was really peeved for not having my domain cert in it
> >> (tons of messages in the engine.log file)...figured out how to add my
> >> domain cert and it seemed OK. Which led me to...
> >> 
> >> 2) My /etc/pki/ovirt-engine/keys/engine.p12 and
> >> /etc/pki/ovirt-engine/keys/apache.p12 are _gone_. Don't have them in my
> >> backups either. This results in a massive java dump when I try to start
> >> the engine service.
> >> 
> >> 3) I noticed that I had
> >> /etc/pki/ovirt-engine/keys/engine.p12.201711021302 which is a time stamp
> >> corresponding to when I shut the node down. Then I noticed, that I was
> >> missing dang near EVERY file in /etc/pki/ovirt-engine but I had an
> >> equivalent file with the ".201711021302" extension. So a touch of bash
> >> and I copied all of my "*.201711021302" files with the proper
> >> user/group/permissions into their base name. Hooray! No more errors in
> >> the log files and all services start!!
> >> 
> >> 4) I open my web browser and head to my management host...and I get this
> >> error:
> >> Keystore was tampered with, or password was incorrect
> >> 
> >> Well...yeah. I had to fix it in step one. :-/
> >> 
> >> I'm not getting anything useful out of my Internet searching. I don't
> >> know what went wrong or why, but my SSL is just borked.
> >> 
> >> Any suggestions? Thoughts? Ideas?
> >> 
> >> Is there a way to just blow away and start over with the SSL _without_
> >> destroying the VM's (which fortunately they all seem to still be
> >> functional!)?
> >> 
> >> Any help would be greatly appreciated.
> >> Thanks!
> >> ~Stack~

More information about the Users mailing list