following
https://access.redhat.com/solutions/3532921 solved my issue!
(needs redhat registration but it worth)
Le 13/04/2022 à 11:41, Milan Zamazal a écrit :
Nathanaël Blanchet <blanchet(a)abes.fr> writes:
> Hi,
>
> Some of my hosts came into a non responsive state since there
> certicate had expired:
>
> VDSM palomo command Get Host Capabilities failed: PKIX path validation
> failed: java.security.cert.CertPathValidatorException: validity check
> failed
>
> |openssl x509 -noout -enddate -in /etc/pki/vdsm/certs/vdsmcert.pem
> palomo notAfter=Apr 6 11:09:05 2022 GMT |
>
> The recommanded path to update certificates is to put hosts into
> maintenance and enroll certificates.
> But I can't anymore live migrate vms since the certificate is expired:
>
> 2022-04-13 10:34:12,022+0200 ERROR (migsrc/bf0f7628) [virt.vm]
> (vmId='bf0f7628-d70b-47a4-8569-5430e178f429') [SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
> (migration:331)
>
>
> So is there a way to disable tls to migrate these vms so as to put the
> host into maintenance?
Do you use encrypted migrations? I think the client certificate is
verified only with encrypted migrations. You can disable encrypted
migrations in the web UI among other migration settings in cluster or VM
settings.
If it fails also with non-encrypted migrations, *maybe* removing the
client certificate could help.
If disabling encrypted migrations is not possible, you can try to set
migrate_tls_x509_verify option in /etc/libvirt/qemu.conf on the
destination host to 0 (libvirt restart may be needed to apply the
changed setting).
I guess there could be also a way to run the Ansible role for updating
the certificates manually (not recommended etc. etc. but perhaps still
useful in this case) without putting the host into the maintenance.
Just a speculation, I don’t know whether it’s actually possible and how
to do it if it is.
Regards,
Milan
> No possibility of migration would imply to stop production vms, this
> is what we absolutely don't want!
>
> Any help much appreciated.
>
> ||
--
Nathanaël Blanchet
Supervision réseau
SIRE
227 avenue Professeur-Jean-Louis-Viala
34193 MONTPELLIER CEDEX 5
Tél. 33 (0)4 67 54 84 55
Fax 33 (0)4 67 54 84 14
blanchet(a)abes.fr