[ovirt-users] SSLHandshakeException: Received fatal alert: certificate_expired

Piotr Kliczewski piotr.kliczewski at gmail.com
Thu Sep 21 18:41:57 UTC 2017 

Neil,

It seems that your engine certificate(s) is/are not ok. I would
suggest to enable ssl debug in the engine by:
- add '-Djavax.net.debug=all' to ovirt-engine.py file here [1].
- restart your engine
- check your server.log and check what is the issue.

Hopefully we will be able to understand what happened in your setup.

Thanks,
Piotr

[1] https://github.com/oVirt/ovirt-engine/blob/master/packaging/services/ovirt-engine/ovirt-engine.py#L341

On Thu, Sep 21, 2017 at 4:42 PM, Neil <nwilson123 at gmail.com> wrote:
> Further to the logs sent, on the nodes I'm also seeing the following error
> under /var/log/messages...
>
> Sep 20 03:43:12 node01 vdsm root ERROR invalid client certificate with
> subject "/C=US/O=UKDM/CN=engine01.mydomain.za"^C
> Sep 20 03:43:12 node01 vdsm vds ERROR xml-rpc handler exception#012Traceback
> (most recent call last):#012  File "/usr/share/vdsm/BindingXMLRPC.py", line
> 80, in threaded_start#012    self.server.handle_request()#012  File
> "/usr/lib64/python2.6/SocketServer.py", line 278, in handle_request#012
> self._handle_request_noblock()#012  File
> "/usr/lib64/python2.6/SocketServer.py", line 288, in
> _handle_request_noblock#012    request, client_address =
> self.get_request()#012  File "/usr/lib64/python2.6/SocketServer.py", line
> 456, in get_request#012    return self.socket.accept()#012  File
> "/usr/lib64/python2.6/site-packages/vdsm/SecureXMLRPCServer.py", line 136,
> in accept#012    raise SSL.SSLError("%s, client %s" % (e,
> address[0]))#012SSLError: no certificate returned, client 10.251.193.5
>
> Not sure if this is any further help in diagnosing the issue?
>
> Thanks, any assistance is appreciated.
>
> Regards.
>
> Neil Wilson.
>
>
> On Thu, Sep 21, 2017 at 4:31 PM, Neil <nwilson123 at gmail.com> wrote:
>>
>> Hi Piotr,
>>
>> Thank you for the reply. After sending the email I did go and check the
>> engine one too....
>>
>> [root at engine01 /]# openssl x509 -in /etc/pki/ovirt-engine/ca.pem -enddate
>> -noout
>> notAfter=Oct 13 16:26:46 2022 GMT
>>
>> I'm not sure if this one below is meant to verify or if this output is
>> expected?
>>
>> [root at engine01 /]# openssl x509 -in /etc/pki/ovirt-engine/private/ca.pem
>> -enddate -noout
>> unable to load certificate
>> 140642165552968:error:0906D06C:PEM routines:PEM_read_bio:no start
>> line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
>>
>> My date is correct too Thu Sep 21 16:30:15 SAST 2017
>>
>> Any ideas?
>>
>> Googling surprisingly doesn't come up with much.
>>
>> Thank you.
>>
>> Regards.
>>
>> Neil Wilson.
>>
>> On Thu, Sep 21, 2017 at 4:16 PM, Piotr Kliczewski
>> <piotr.kliczewski at gmail.com> wrote:
>>>
>>> Neil,
>>>
>>> You checked both nodes what about the engine? Can you check engine certs?
>>> You can find more info where they are located here [1].
>>>
>>> Thanks,
>>> Piotr
>>>
>>> [1]
>>> https://www.ovirt.org/develop/release-management/features/infra/pki/#ovirt-engine
>>>
>>> On Thu, Sep 21, 2017 at 3:26 PM, Neil <nwilson123 at gmail.com> wrote:
>>> > Hi guys,
>>> >
>>> > Please could someone assist, my cluster is down and I can't access my
>>> > vm's
>>> > to switch some of them back on.
>>> >
>>> > I'm seeing the following error in the engine.log however I've checked
>>> > my
>>> > certs on my hosts (as some of the goolge results said to check), but
>>> > the
>>> > certs haven't expired...
>>> >
>>> >
>>> > 2017-09-21 15:09:45,077 ERROR
>>> > [org.ovirt.engine.core.vdsbroker.vdsbroker.GetCapabilitiesVDSCommand]
>>> > (DefaultQuartzScheduler_Worker-4) Command
>>> > GetCapabilitiesVDSCommand(HostName
>>> > = node02.mydomain.za, HostId = d2debdfe-76e7-40cf-a7fd-78a0f50f14d4,
>>> > vds=Host[node02.mydomain.za]) execution failed. Exception:
>>> > VDSNetworkException: javax.net.ssl.SSLHandshakeException: Received
>>> > fatal
>>> > alert: certificate_expired
>>> > 2017-09-21 15:09:45,086 ERROR
>>> > [org.ovirt.engine.core.vdsbroker.vdsbroker.GetCapabilitiesVDSCommand]
>>> > (DefaultQuartzScheduler_Worker-10) Command
>>> > GetCapabilitiesVDSCommand(HostName = node01.mydomain.za, HostId =
>>> > b108549c-1700-11e2-b936-9f5243b8ce13, vds=Host[node01.mydomain.za])
>>> > execution failed. Exception: VDSNetworkException:
>>> > javax.net.ssl.SSLHandshakeException: Received fatal alert:
>>> > certificate_expired
>>> > 2017-09-21 15:09:48,173 ERROR
>>> >
>>> > My engine and host info is below...
>>> >
>>> > [root at engine01 ovirt-engine]# rpm -qa | grep -i ovirt
>>> > ovirt-engine-lib-3.4.0-1.el6.noarch
>>> > ovirt-engine-restapi-3.4.0-1.el6.noarch
>>> > ovirt-engine-setup-plugin-ovirt-engine-3.4.0-1.el6.noarch
>>> > ovirt-engine-3.4.0-1.el6.noarch
>>> > ovirt-engine-setup-plugin-websocket-proxy-3.4.0-1.el6.noarch
>>> > ovirt-host-deploy-java-1.2.0-1.el6.noarch
>>> > ovirt-engine-setup-3.4.0-1.el6.noarch
>>> > ovirt-host-deploy-1.2.0-1.el6.noarch
>>> > ovirt-engine-backend-3.4.0-1.el6.noarch
>>> > ovirt-image-uploader-3.4.0-1.el6.noarch
>>> > ovirt-engine-tools-3.4.0-1.el6.noarch
>>> > ovirt-engine-sdk-python-3.4.0.7-1.el6.noarch
>>> > ovirt-engine-webadmin-portal-3.4.0-1.el6.noarch
>>> > ovirt-engine-cli-3.4.0.5-1.el6.noarch
>>> > ovirt-engine-setup-base-3.4.0-1.el6.noarch
>>> > ovirt-iso-uploader-3.4.0-1.el6.noarch
>>> > ovirt-engine-userportal-3.4.0-1.el6.noarch
>>> > ovirt-log-collector-3.4.1-1.el6.noarch
>>> > ovirt-engine-websocket-proxy-3.4.0-1.el6.noarch
>>> > ovirt-engine-setup-plugin-ovirt-engine-common-3.4.0-1.el6.noarch
>>> > ovirt-engine-dbscripts-3.4.0-1.el6.noarch
>>> > [root at engine01 ovirt-engine]# cat /etc/redhat-release
>>> > CentOS release 6.5 (Final)
>>> >
>>> >
>>> > [root at node02 ~]# openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem
>>> > -enddate
>>> > -noout ; date
>>> > notAfter=May 27 08:36:17 2019 GMT
>>> > Thu Sep 21 15:18:22 SAST 2017
>>> > CentOS release 6.5 (Final)
>>> > [root at node02 ~]# rpm -qa | grep vdsm
>>> > vdsm-4.14.6-0.el6.x86_64
>>> > vdsm-python-4.14.6-0.el6.x86_64
>>> > vdsm-cli-4.14.6-0.el6.noarch
>>> > vdsm-xmlrpc-4.14.6-0.el6.noarch
>>> > vdsm-python-zombiereaper-4.14.6-0.el6.noarch
>>> >
>>> >
>>> > [root at node01 ~]# openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem
>>> > -enddate
>>> > -noout ; date
>>> > notAfter=Jun 13 16:09:41 2018 GMT
>>> > Thu Sep 21 15:18:52 SAST 2017
>>> > CentOS release 6.5 (Final)
>>> > [root at node01 ~]# rpm -qa | grep -i vdsm
>>> > vdsm-4.14.6-0.el6.x86_64
>>> > vdsm-xmlrpc-4.14.6-0.el6.noarch
>>> > vdsm-cli-4.14.6-0.el6.noarch
>>> > vdsm-python-zombiereaper-4.14.6-0.el6.noarch
>>> > vdsm-python-4.14.6-0.el6.x86_64
>>> >
>>> > Please could I have some assistance, I'm rater desperate.
>>> >
>>> > Thank you.
>>> >
>>> > Regards.
>>> >
>>> > Neil Wilson
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Users mailing list
>>> > Users at ovirt.org
>>> > http://lists.ovirt.org/mailman/listinfo/users
>>> >
>>
>>
>

More information about the Users mailing list