<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 20, 2016 at 6:18 PM, Nicolás <span dir="ltr">&lt;<a href="mailto:nicolas@devels.es" target="_blank">nicolas@devels.es</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <p><br>
    </p>
    <br>
    <div>El 20/07/16 a las 16:45, Martin Perina
      escribió:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">
        <div style="font-family:arial,helvetica,sans-serif"><br>
        </div>
        <div class="gmail_extra"><br>
          <div class="gmail_quote">On Wed, Jul 20, 2016 at 4:44 PM,
            Nicolás <span dir="ltr">&lt;<a href="mailto:nicolas@devels.es" target="_blank">nicolas@devels.es</a>&gt;</span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
              <div dir="ltr">Hi Martin,<br>
              </div>
              <div dir="ltr"><br>
              </div>
              <div dir="ltr">Actually, up until now we had that cert
                configured in httpd and in websocket proxy. Seems that
                now in 4.0.x it&#39;s not enough, as opening the <a href="https://fqdn" target="_blank">https://fqdn</a> complains about the
                cert not being imported in the key chain. </div>
            </blockquote>
            <div><br>
              <div style="font-family:arial,helvetica,sans-serif;display:inline">​Yes,
                there&#39;s an updated procedure on using external CA in
                4.0, for details please take a look at Doc Text in<br>
                <br>
                <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1336838" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1336838</a><br>
                ​</div>
               </div>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
              <div dir="ltr">So I imported it via keytool, but I don&#39;t
                want to use it in the engine &lt;-&gt; VDSM
                communication.<br>
              </div>
            </blockquote>
            <div><br>
              <div style="font-family:arial,helvetica,sans-serif;display:inline">​Hmm,
                so that would imply that we have some issue with
                existing internal enigne CA during upgrade ...<br>
              </div>
              <div style="font-family:arial,helvetica,sans-serif;display:inline">The
                strange thing is that we test upgrades a lot but so far
                we haven&#39;t seen any issues which will broke<br>
              </div>
              <div style="font-family:arial,helvetica,sans-serif;display:inline">SSL
                setup between engine and VDSM. You said that you had to
                downgrade back to 3.6.7 (so unfortunately for us we
                cannot investigate your nonworking setup more), but how
                did you do that?<br>
              </div>
              <div style="font-family:arial,helvetica,sans-serif;display:inline">Removing
                all engine packages and configuration​, installing back
                3.6.7 packaging and restoring configuration form backup?<br>
              </div>
              <div style="font-family:arial,helvetica,sans-serif;display:inline">I&#39;m
                asking to know what changed in your setup between not
                working 4.0 and working 3.6.7 ...<br>
                <br>
              </div>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    Indeed, those are the steps I followed to the point.<br>
    <br>
    To add more strangeness, previously to upgrading this oVirt
    infrastructure, we upgraded another one that we have (also using own
    cert, a different one but from the same CA) and everything went
    smoothly. And what&#39;s more, previously to upgrading the engine that
    failed, I created a copy of that engine machine in a sandbox
    environment to see if upgrade process would or not success, and it
    worked perfectly.<br>
    <br>
    The only difference between the sandbox and the real machine&#39;s
    process was that when upgrading the real one, the first time I run
    &quot;engine-setup&quot; it failed because &#39;systemd&#39; reported PostgreSQL as it
    was not running (actually it was, thougg), so everything rolled
    back. I had to kill the PostgreSQL process, start it again with
    systemctl and then run &quot;engine-setup&quot;, where the process completed
    successfully but the SSL issue appeared. Not sure if this rollback
    could have shattered the whole thing...<br>
    <br>
    Anyhow, tomorrow I&#39;m going to create another copy of the engine
    machine to a sandbox environment and try again. If it works I&#39;ll
    cross my fingers and give another try on the real machine...<br>
    <br>
    Thanks!<br></div></blockquote><div><br><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;display:inline">​Thanks a lot for you effort. I will try to perform same upgrade tomorrow in my test env.<br>​</div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">
    <br>
    <blockquote type="cite">
      <div dir="ltr">
        <div class="gmail_extra">
          <div class="gmail_quote">
            <div>
              <div style="font-family:arial,helvetica,sans-serif;display:inline">Thanks<br>
                <br>
              </div>
              <div style="font-family:arial,helvetica,sans-serif;display:inline">Martin<br>
                <br>
              </div>
            </div>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
              <div dir="ltr">
              </div>
              <div dir="ltr"><br>
              </div>
              <div dir="ltr">Thanks!</div>
              <div>En 20/7/2016 2:48 p. m., Martin Perina &lt;<a href="mailto:mperina@redhat.com" target="_blank">mperina@redhat.com</a>&gt;
                escribió:<br type="attribution">
                <blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                  <div dir="ltr">
                    <div style="font-family:arial,helvetica,sans-serif">Hi,<br>
                      <br>
                    </div>
                    <div style="font-family:arial,helvetica,sans-serif">sorry
                      for late response, I overlook your reply :-(<br>
                      <br>
                    </div>
                    <div class="gmail_extra">
                      <div style="font-family:arial,helvetica,sans-serif">​I
                        looked at your logs and it seems to me that​
                        there&#39;s SSL error when engine tries to contact
                        VDSM.<br>
                      </div>
                      <div style="font-family:arial,helvetica,sans-serif;display:inline">​You
                        have mentioned that your are using your own
                        custom CA. ​Are you using it only for HTTPS
                        certificate or do you want to use it also for
                        Engine &lt;-&gt; VDSM communication?<br>
                        ​<br>
                      </div>
                      <div style="font-family:arial,helvetica,sans-serif;display:inline">Martin
                        Perina<br>
                      </div>
                      <div style="font-family:arial,helvetica,sans-serif"> <br>
                      </div>
                      <br>
                      <div class="gmail_quote">On Wed, Jul 20, 2016 at
                        9:18 AM, <span dir="ltr">&lt;<a href="mailto:nicolas@devels.es" target="_blank">nicolas@devels.es</a>&gt;</span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Any hints
                          about this?<br>
                          <br>
                          El 2016-07-13 11:13, <a href="mailto:nicolas@devels.es" target="_blank">nicolas@devels.es</a>
                          escribió:<br>
                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                            Hi,<br>
                            <br>
                            Unfortunately, upgrading to 4.0.1RC didn&#39;t
                            solve the problem.<br>
                            Actually, the error changed to &#39;General
                            SSLEngine problem&#39;, but the<br>
                            result was the same, like this:<br>
                            <br>
                            2016-07-13 09:52:22,010 INFO<br>
[org.ovirt.vdsm.jsonrpc.client.reactors.ReactorClient] (SSL Stomp<br>
                            Reactor) [] Connecting to /10.X.X.X<br>
                            2016-07-13 09:52:22,018 ERROR<br>
[org.ovirt.vdsm.jsonrpc.client.reactors.Reactor] (SSL Stomp Reactor)<br>
                            [] Unable to process messages: General
                            SSLEngine problem<br>
                            <br>
                            It&#39;s worth mentioning that we&#39;re using our
                            own SSL certificates (not<br>
                            self-signed), and I imported the combined
                            certificate into the<br>
                            /etc/pki/ovirt-engine/.truststore key file.
                            Not sure if related, but<br>
                            just in case.<br>
                          </blockquote>
                        </blockquote>
                        <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                            <br>
                            I had to downgrade to 3.6.7. I&#39;m attaching
                            requested logs, if you need<br>
                            anything else don&#39;t hesitate to ask.<br>
                            <br>
                            Regards.<br>
                            <br>
                            El 2016-07-13 09:45, Martin Perina escribió:<br>
                            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                              Hi,<br>
                              <br>
                              could you please share also vdsm.log from
                              your hosts and also<br>
                              server.log and setup logs from
                              /var/log/ovirt-engine/setup directory?<br>
                              <br>
                              Thanks<br>
                              <br>
                              Martin Perina<br>
                              <br>
                              On Wed, Jul 13, 2016 at 10:36 AM, &lt;<a href="mailto:nicolas@devels.es" target="_blank">nicolas@devels.es</a>&gt;
                              wrote:<br>
                              <br>
                              <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                                Hi,<br>
                                <br>
                                We upgraded from 3.6.6 to 4.0.0 and we
                                have a big issue since the<br>
                                engine cannot connect to hosts. In the
                                logs all we see is this<br>
                                error:<br>
                                <br>
                                    ERROR
                                [org.ovirt.vdsm.jsonrpc.client.reactors.Reactor]
                                (SSL<br>
                                Stomp Reactor) [] Unable to process
                                messages<br>
                                <br>
                                I&#39;m attaching full logs.<br>
                                <br>
                                Could someone help please?<br>
                                <br>
                                Thanks.<br>
_______________________________________________<br>
                                Users mailing list<br>
                                <a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
                                <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a>
                                [1]<br>
                              </blockquote>
                              <br>
                              <br>
                              <br>
                              Links:<br>
                              ------<br>
                              [1] <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
                            </blockquote>
                            <br>
_______________________________________________<br>
                            Users mailing list<br>
                            <a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
                            <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
                          </blockquote>
                        </blockquote>
                      </div>
                      <br>
                    </div>
                  </div>
                </blockquote>
              </div>
            </blockquote>
          </div>
          <br>
        </div>
      </div>
    </blockquote>
    <br>
  </div>

</blockquote></div><br></div></div>