Hi, back in 2015, with the first install of ovirt, I used a domain of xxxportal.com. Since the client has an xxxcentral.com wildcard certificate, I added changed the hostname and domainname, and added the cert/cacert to the apache webpage. The pki on ovirt and vdsm (host) both still have the original xxxportal.com domain. I am looking for a way to wipe away the old domain. Do I need to remove the host (not hosted engine), drop the datacenter/cluster, and build from a clean db? Thanks, Paul -- Paul Dyer, Mercury Consulting Group, RHCE 504-302-8750
On Sat, Jul 9, 2016 at 2:35 AM, Paul Dyer <pmdyermms@gmail.com> wrote:
Hi,
back in 2015, with the first install of ovirt, I used a domain of xxxportal.com. Since the client has an xxxcentral.com wildcard certificate, I added changed the hostname and domainname, and added the cert/cacert to the apache webpage.
The pki on ovirt and vdsm (host) both still have the original xxxportal.com domain. I am looking for a way to wipe away the old domain.
Do I need to remove the host (not hosted engine), drop the datacenter/cluster, and build from a clean db?
Basically yes. See also: https://www.ovirt.org/documentation/how-to/networking/changing-engine-hostna... If you have lots of data in your engine (hosts, VMs etc), you might manage to keep most of it by something like this, didn't try that: 1. Shutdown all VMs and move all hosts to maintenance 2. Stop ovirt-engine service 3. mv /etc/pki/ovirt-engine /etc/pki/ovirt-engine-backup-before-recreation 4. yum reinstall ovirt-engine-backend, or copy back from above backup only these, without the files they hold (for directories), but keep owner/permissions: cacert.template.in certs cert.template.in keys openssl.conf private requests 5. engine-setup It will notice pki is removed and recreate it for you You might need to change admin password because it's encrypted with engine's key 6. Connect to web admin, and per host: 6.1. Right click -> Enroll Certificate 6.2. You might need Right-Click -> Reinstall 6.3. Activate This should be enough, more-or-less. You might want, just in case, before step 6, to connect to all hosts and remove stuff under /etc/pki, but I didn't check what exactly. Best, -- Didi
On Ne, 2016-07-10 at 10:27 +0300, Yedidyah Bar David wrote:
On Sat, Jul 9, 2016 at 2:35 AM, Paul Dyer <pmdyermms@gmail.com> wrote:
Hi,
back in 2015, with the first install of ovirt, I used a domain of xxxportal.com. Since the client has an xxxcentral.com wildcard certificate, I added changed the hostname and domainname, and added the cert/cacert to the apache webpage.
The pki on ovirt and vdsm (host) both still have the original xxxportal.com domain. I am looking for a way to wipe away the old domain.
Do I need to remove the host (not hosted engine), drop the datacenter/cluster, and build from a clean db?
Basically yes. See also:
https://www.ovirt.org/documentation/how-to/networking/changing-engine-hostna...
If you have lots of data in your engine (hosts, VMs etc), you might manage to keep most of it by something like this, didn't try that:
1. Shutdown all VMs and move all hosts to maintenance 2. Stop ovirt-engine service 3. mv /etc/pki/ovirt-engine /etc/pki/ovirt-engine-backup-before-recreation 4. yum reinstall ovirt-engine-backend, or copy back from above backup only these, without the files they hold (for directories), but keep owner/permissions: cacert.template.in certs cert.template.in keys openssl.conf private requests 5. engine-setup It will notice pki is removed and recreate it for you You might need to change admin password because it's encrypted with engine's key 6. Connect to web admin, and per host: 6.1. Right click -> Enroll Certificate 6.2. You might need Right-Click -> Reinstall 6.3. Activate
This should be enough, more-or-less. You might want, just in case, before step 6, to connect to all hosts and remove stuff under /etc/pki, but I didn't check what exactly.
Best,
I'm wondering if all of these is necessary. I didn't do exactly this, I however added a second mod_ssl instance to the apache on a different port (with different certificates) and 3.6 worked for me without any other changes (on both ports). 4.0 did not work on different port as AAA refused to authenticate user. David
On Tue, Jul 12, 2016 at 10:16 PM, David Jaša <djasa@redhat.com> wrote:
On Ne, 2016-07-10 at 10:27 +0300, Yedidyah Bar David wrote:
On Sat, Jul 9, 2016 at 2:35 AM, Paul Dyer <pmdyermms@gmail.com> wrote:
Hi,
back in 2015, with the first install of ovirt, I used a domain of xxxportal.com. Since the client has an xxxcentral.com wildcard certificate, I added changed the hostname and domainname, and added the cert/cacert to the apache webpage.
The pki on ovirt and vdsm (host) both still have the original xxxportal.com domain. I am looking for a way to wipe away the old domain.
If this ^^^^ is the requirement, then:
Do I need to remove the host (not hosted engine), drop the datacenter/cluster, and build from a clean db?
Basically yes. See also:
https://www.ovirt.org/documentation/how-to/networking/changing-engine-hostna...
If you have lots of data in your engine (hosts, VMs etc), you might manage to keep most of it by something like this, didn't try that:
1. Shutdown all VMs and move all hosts to maintenance 2. Stop ovirt-engine service 3. mv /etc/pki/ovirt-engine /etc/pki/ovirt-engine-backup-before-recreation 4. yum reinstall ovirt-engine-backend, or copy back from above backup only these, without the files they hold (for directories), but keep owner/permissions: cacert.template.in certs cert.template.in keys openssl.conf private requests 5. engine-setup It will notice pki is removed and recreate it for you You might need to change admin password because it's encrypted with engine's key 6. Connect to web admin, and per host: 6.1. Right click -> Enroll Certificate 6.2. You might need Right-Click -> Reinstall 6.3. Activate
This should be enough, more-or-less. You might want, just in case, before step 6, to connect to all hosts and remove stuff under /etc/pki, but I didn't check what exactly.
Best,
I'm wondering if all of these is necessary.
Yes, I think. If it's just to have the web admin interface use the new domain, then ovirt-engine-rename should be enough.
I didn't do exactly this, I however added a second mod_ssl instance to the apache on a different port (with different certificates) and 3.6 worked for me without any other changes (on both ports). 4.0 did not work on different port as AAA refused to authenticate user.
Right. Best, -- Didi
I am not having any luck. When I get to step 5 (engine-setup), the "PKI organization" still has the old domainname??? --== CONFIGURATION PREVIEW ==-- Update Firewall : False Host FQDN : bacchus.xxxcentral.com Engine database secured connection : False Engine database host : localhost Engine database user name : engine Engine database name : engine Engine database port : 5432 Engine database host name validation : False DWH database secured connection : False DWH database host : localhost DWH database user name : ovirt_engine_history DWH database name : ovirt_engine_history DWH database port : 5432 DWH database host name validation : False Engine installation : True *PKI organization : xxxportal.com <http://xxxportal.com>* DWH installation : True Backup DWH database : True Engine Host FQDN : bacchus.xxxcentral.com Configure VMConsole Proxy : False Configure WebSocket Proxy : False On Sun, Jul 10, 2016 at 2:27 AM, Yedidyah Bar David <didi@redhat.com> wrote:
On Sat, Jul 9, 2016 at 2:35 AM, Paul Dyer <pmdyermms@gmail.com> wrote:
Hi,
back in 2015, with the first install of ovirt, I used a domain of xxxportal.com. Since the client has an xxxcentral.com wildcard certificate, I added changed the hostname and domainname, and added the cert/cacert to the apache webpage.
The pki on ovirt and vdsm (host) both still have the original xxxportal.com domain. I am looking for a way to wipe away the old domain.
Do I need to remove the host (not hosted engine), drop the datacenter/cluster, and build from a clean db?
Basically yes. See also:
https://www.ovirt.org/documentation/how-to/networking/changing-engine-hostna...
If you have lots of data in your engine (hosts, VMs etc), you might manage to keep most of it by something like this, didn't try that:
1. Shutdown all VMs and move all hosts to maintenance 2. Stop ovirt-engine service 3. mv /etc/pki/ovirt-engine /etc/pki/ovirt-engine-backup-before-recreation 4. yum reinstall ovirt-engine-backend, or copy back from above backup only these, without the files they hold (for directories), but keep owner/permissions: cacert.template.in certs cert.template.in keys openssl.conf private requests 5. engine-setup It will notice pki is removed and recreate it for you You might need to change admin password because it's encrypted with engine's key 6. Connect to web admin, and per host: 6.1. Right click -> Enroll Certificate 6.2. You might need Right-Click -> Reinstall 6.3. Activate
This should be enough, more-or-less. You might want, just in case, before step 6, to connect to all hosts and remove stuff under /etc/pki, but I didn't check what exactly.
Best, -- Didi
-- Paul Dyer, Mercury Consulting Group, RHCE 504-302-8750
On Thu, Jul 14, 2016 at 2:58 AM, Paul Dyer <pmdyermms@gmail.com> wrote:
I am not having any luck. When I get to step 5 (engine-setup), the "PKI organization" still has the old domainname???
You can try editing /etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf and delete the line with 'OVESETUP_PKI/organization', then try engine-setup again. Best,
--== CONFIGURATION PREVIEW ==--
Update Firewall : False Host FQDN : bacchus.xxxcentral.com Engine database secured connection : False Engine database host : localhost Engine database user name : engine Engine database name : engine Engine database port : 5432 Engine database host name validation : False DWH database secured connection : False DWH database host : localhost DWH database user name : ovirt_engine_history DWH database name : ovirt_engine_history DWH database port : 5432 DWH database host name validation : False Engine installation : True PKI organization : xxxportal.com DWH installation : True Backup DWH database : True Engine Host FQDN : bacchus.xxxcentral.com Configure VMConsole Proxy : False Configure WebSocket Proxy : False
On Sun, Jul 10, 2016 at 2:27 AM, Yedidyah Bar David <didi@redhat.com> wrote:
On Sat, Jul 9, 2016 at 2:35 AM, Paul Dyer <pmdyermms@gmail.com> wrote:
Hi,
back in 2015, with the first install of ovirt, I used a domain of xxxportal.com. Since the client has an xxxcentral.com wildcard certificate, I added changed the hostname and domainname, and added the cert/cacert to the apache webpage.
The pki on ovirt and vdsm (host) both still have the original xxxportal.com domain. I am looking for a way to wipe away the old domain.
Do I need to remove the host (not hosted engine), drop the datacenter/cluster, and build from a clean db?
Basically yes. See also:
https://www.ovirt.org/documentation/how-to/networking/changing-engine-hostna...
If you have lots of data in your engine (hosts, VMs etc), you might manage to keep most of it by something like this, didn't try that:
1. Shutdown all VMs and move all hosts to maintenance 2. Stop ovirt-engine service 3. mv /etc/pki/ovirt-engine /etc/pki/ovirt-engine-backup-before-recreation 4. yum reinstall ovirt-engine-backend, or copy back from above backup only these, without the files they hold (for directories), but keep owner/permissions: cacert.template.in certs cert.template.in keys openssl.conf private requests 5. engine-setup It will notice pki is removed and recreate it for you You might need to change admin password because it's encrypted with engine's key 6. Connect to web admin, and per host: 6.1. Right click -> Enroll Certificate 6.2. You might need Right-Click -> Reinstall 6.3. Activate
This should be enough, more-or-less. You might want, just in case, before step 6, to connect to all hosts and remove stuff under /etc/pki, but I didn't check what exactly.
Best, -- Didi
-- Paul Dyer, Mercury Consulting Group, RHCE 504-302-8750
-- Didi
Hi, thanks, changing 20-setup-ovrit-post.conf fixed the PKI Organization in engine-setup. after engine-setup completed, I was not able to login to the webportal. I needed to copy the /etc/pki/ovirt-engine-backup-before-recreation back to ovirt-engine in order to login. The errors on the webportal were about PKI something. I didn't get a picture of it. sorry. On Thu, Jul 14, 2016 at 1:02 AM, Yedidyah Bar David <didi@redhat.com> wrote:
On Thu, Jul 14, 2016 at 2:58 AM, Paul Dyer <pmdyermms@gmail.com> wrote:
I am not having any luck. When I get to step 5 (engine-setup), the "PKI organization" still has the old domainname???
You can try editing /etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf and delete the line with 'OVESETUP_PKI/organization', then try engine-setup again.
Best,
--== CONFIGURATION PREVIEW ==--
Update Firewall : False Host FQDN :
bacchus.xxxcentral.com
Engine database secured connection : False Engine database host : localhost Engine database user name : engine Engine database name : engine Engine database port : 5432 Engine database host name validation : False DWH database secured connection : False DWH database host : localhost DWH database user name : ovirt_engine_history DWH database name : ovirt_engine_history DWH database port : 5432 DWH database host name validation : False Engine installation : True PKI organization : xxxportal.com DWH installation : True Backup DWH database : True Engine Host FQDN :
bacchus.xxxcentral.com
Configure VMConsole Proxy : False Configure WebSocket Proxy : False
On Sun, Jul 10, 2016 at 2:27 AM, Yedidyah Bar David <didi@redhat.com>
On Sat, Jul 9, 2016 at 2:35 AM, Paul Dyer <pmdyermms@gmail.com> wrote:
Hi,
back in 2015, with the first install of ovirt, I used a domain of xxxportal.com. Since the client has an xxxcentral.com wildcard certificate, I added changed the hostname and domainname, and added
wrote: the
cert/cacert to the apache webpage.
The pki on ovirt and vdsm (host) both still have the original xxxportal.com domain. I am looking for a way to wipe away the old domain.
Do I need to remove the host (not hosted engine), drop the datacenter/cluster, and build from a clean db?
Basically yes. See also:
https://www.ovirt.org/documentation/how-to/networking/changing-engine-hostna...
If you have lots of data in your engine (hosts, VMs etc), you might
manage
to keep most of it by something like this, didn't try that:
1. Shutdown all VMs and move all hosts to maintenance 2. Stop ovirt-engine service 3. mv /etc/pki/ovirt-engine /etc/pki/ovirt-engine-backup-before-recreation 4. yum reinstall ovirt-engine-backend, or copy back from above backup only these, without the files they hold (for directories), but keep owner/permissions: cacert.template.in certs cert.template.in keys openssl.conf private requests 5. engine-setup It will notice pki is removed and recreate it for you You might need to change admin password because it's encrypted with engine's key 6. Connect to web admin, and per host: 6.1. Right click -> Enroll Certificate 6.2. You might need Right-Click -> Reinstall 6.3. Activate
This should be enough, more-or-less. You might want, just in case, before step 6, to connect to all hosts and remove stuff under /etc/pki, but I didn't check what exactly.
Best, -- Didi
-- Paul Dyer, Mercury Consulting Group, RHCE 504-302-8750
-- Didi
-- Paul Dyer, Mercury Consulting Group, RHCE 504-302-8750
On Fri, Jul 15, 2016 at 3:43 AM, Paul Dyer <pmdyermms@gmail.com> wrote:
Hi,
thanks, changing 20-setup-ovrit-post.conf fixed the PKI Organization in engine-setup.
after engine-setup completed, I was not able to login to the webportal. I
With what user? admin@internal or some external directory user (or something else)? Did you get an error message? Do you still have logs you can/want to share?
needed to copy the /etc/pki/ovirt-engine-backup-before-recreation back to ovirt-engine in order to login.
But didn't this partially revert your rename?
The errors on the webportal were about PKI something. I didn't get a picture of it. sorry.
Quite likely it's still possible to find in the logs.
On Thu, Jul 14, 2016 at 1:02 AM, Yedidyah Bar David <didi@redhat.com> wrote:
On Thu, Jul 14, 2016 at 2:58 AM, Paul Dyer <pmdyermms@gmail.com> wrote:
I am not having any luck. When I get to step 5 (engine-setup), the "PKI organization" still has the old domainname???
You can try editing /etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf and delete the line with 'OVESETUP_PKI/organization', then try engine-setup again.
Best,
--== CONFIGURATION PREVIEW ==--
Update Firewall : False Host FQDN : bacchus.xxxcentral.com Engine database secured connection : False Engine database host : localhost Engine database user name : engine Engine database name : engine Engine database port : 5432 Engine database host name validation : False DWH database secured connection : False DWH database host : localhost DWH database user name : ovirt_engine_history DWH database name : ovirt_engine_history DWH database port : 5432 DWH database host name validation : False Engine installation : True PKI organization : xxxportal.com DWH installation : True Backup DWH database : True Engine Host FQDN : bacchus.xxxcentral.com Configure VMConsole Proxy : False Configure WebSocket Proxy : False
On Sun, Jul 10, 2016 at 2:27 AM, Yedidyah Bar David <didi@redhat.com> wrote:
On Sat, Jul 9, 2016 at 2:35 AM, Paul Dyer <pmdyermms@gmail.com> wrote:
Hi,
back in 2015, with the first install of ovirt, I used a domain of xxxportal.com. Since the client has an xxxcentral.com wildcard certificate, I added changed the hostname and domainname, and added the cert/cacert to the apache webpage.
The pki on ovirt and vdsm (host) both still have the original xxxportal.com domain. I am looking for a way to wipe away the old domain.
Do I need to remove the host (not hosted engine), drop the datacenter/cluster, and build from a clean db?
Basically yes. See also:
https://www.ovirt.org/documentation/how-to/networking/changing-engine-hostna...
If you have lots of data in your engine (hosts, VMs etc), you might manage to keep most of it by something like this, didn't try that:
1. Shutdown all VMs and move all hosts to maintenance 2. Stop ovirt-engine service 3. mv /etc/pki/ovirt-engine /etc/pki/ovirt-engine-backup-before-recreation 4. yum reinstall ovirt-engine-backend, or copy back from above backup only these, without the files they hold (for directories), but keep owner/permissions: cacert.template.in certs cert.template.in keys openssl.conf private requests 5. engine-setup It will notice pki is removed and recreate it for you You might need to change admin password because it's encrypted with engine's key
Did you change admin password? Best,
6. Connect to web admin, and per host: 6.1. Right click -> Enroll Certificate 6.2. You might need Right-Click -> Reinstall 6.3. Activate
This should be enough, more-or-less. You might want, just in case, before step 6, to connect to all hosts and remove stuff under /etc/pki, but I didn't check what exactly.
Best, -- Didi
-- Paul Dyer, Mercury Consulting Group, RHCE 504-302-8750
-- Didi
-- Paul Dyer, Mercury Consulting Group, RHCE 504-302-8750
-- Didi
I have lost track of this during the last week. I will get some downtime and start over ( following your email from before ) and keep track of what happens. Paul On Sun, Jul 17, 2016 at 12:48 AM, Yedidyah Bar David <didi@redhat.com> wrote:
On Fri, Jul 15, 2016 at 3:43 AM, Paul Dyer <pmdyermms@gmail.com> wrote:
Hi,
thanks, changing 20-setup-ovrit-post.conf fixed the PKI Organization in engine-setup.
after engine-setup completed, I was not able to login to the webportal. I
With what user? admin@internal or some external directory user (or something else)?
Did you get an error message?
Do you still have logs you can/want to share?
needed to copy the /etc/pki/ovirt-engine-backup-before-recreation back to ovirt-engine in order to login.
But didn't this partially revert your rename?
The errors on the webportal were about PKI something. I didn't get a picture of it. sorry.
Quite likely it's still possible to find in the logs.
On Thu, Jul 14, 2016 at 1:02 AM, Yedidyah Bar David <didi@redhat.com>
wrote:
On Thu, Jul 14, 2016 at 2:58 AM, Paul Dyer <pmdyermms@gmail.com> wrote:
I am not having any luck. When I get to step 5 (engine-setup), the "PKI organization" still has the old domainname???
You can try editing /etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf and delete the line with 'OVESETUP_PKI/organization', then try engine-setup again.
Best,
--== CONFIGURATION PREVIEW ==--
Update Firewall : False Host FQDN : bacchus.xxxcentral.com Engine database secured connection : False Engine database host : localhost Engine database user name : engine Engine database name : engine Engine database port : 5432 Engine database host name validation : False DWH database secured connection : False DWH database host : localhost DWH database user name :
ovirt_engine_history
DWH database name :
ovirt_engine_history
DWH database port : 5432 DWH database host name validation : False Engine installation : True PKI organization : xxxportal.com DWH installation : True Backup DWH database : True Engine Host FQDN : bacchus.xxxcentral.com Configure VMConsole Proxy : False Configure WebSocket Proxy : False
On Sun, Jul 10, 2016 at 2:27 AM, Yedidyah Bar David <didi@redhat.com> wrote:
On Sat, Jul 9, 2016 at 2:35 AM, Paul Dyer <pmdyermms@gmail.com>
wrote:
Hi,
back in 2015, with the first install of ovirt, I used a domain of xxxportal.com. Since the client has an xxxcentral.com wildcard certificate, I added changed the hostname and domainname, and added the cert/cacert to the apache webpage.
The pki on ovirt and vdsm (host) both still have the original xxxportal.com domain. I am looking for a way to wipe away the old domain.
Do I need to remove the host (not hosted engine), drop the datacenter/cluster, and build from a clean db?
Basically yes. See also:
https://www.ovirt.org/documentation/how-to/networking/changing-engine-hostna...
If you have lots of data in your engine (hosts, VMs etc), you might manage to keep most of it by something like this, didn't try that:
1. Shutdown all VMs and move all hosts to maintenance 2. Stop ovirt-engine service 3. mv /etc/pki/ovirt-engine /etc/pki/ovirt-engine-backup-before-recreation 4. yum reinstall ovirt-engine-backend, or copy back from above backup only these, without the files they hold (for directories), but keep owner/permissions: cacert.template.in certs cert.template.in keys openssl.conf private requests 5. engine-setup It will notice pki is removed and recreate it for you You might need to change admin password because it's encrypted with engine's key
Did you change admin password?
Best,
6. Connect to web admin, and per host: 6.1. Right click -> Enroll Certificate 6.2. You might need Right-Click -> Reinstall 6.3. Activate
This should be enough, more-or-less. You might want, just in case, before step 6, to connect to all hosts and remove stuff under /etc/pki, but I didn't check what exactly.
Best, -- Didi
-- Paul Dyer, Mercury Consulting Group, RHCE 504-302-8750
-- Didi
-- Paul Dyer, Mercury Consulting Group, RHCE 504-302-8750
-- Didi
-- Paul Dyer, Mercury Consulting Group, RHCE 504-302-8750
participants (3)
-
David Jaša -
Paul Dyer -
Yedidyah Bar David