[ovirt-users] Re: How to recreate Ovirt CA from scratch

Hi list, during our datacenter lifetime many things changed. We moved the engine twice on different hosts with, of course, different FQDNs, and many other changes. Now we are stuck with an error when we try to upload an image to a data domain. The error is somehow bound to a failure to validate the ovirt-imageio-proxy certificate and, since the current root CA certificate is still signed with sha1WithRSAEncryption we'd like to regenerate the whole CA.

That's the steps we've done.. without success... 1) Make a tar.gz of the /etc/pki/ovirt-engine as backup 2) Create a new CA cert using the same private key: openssl req -key /etc/pki/ovirt-engine/private/ca.pem -new -x509 -days 3650 -sha256 -extensions v3_ca -out newca.cert.pem 3) Put the new CA cert in place mv ca.pem ca.pem.orig.20190219;mv newca.cert.pem ca.pem 4) Resign all the other certs names="engine apache websocket-proxy jboss imageio-proxy" for name in $names; do subject="$( openssl \ x509 \ -in /etc/pki/ovirt-engine/certs/"${name}".cer \ -noout \ -subject \ | sed \ 's;subject= \(.*\);\1;' \ )" /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh \ --name="${name}" \ --password=mypass \ --subject="${subject}" \ --keep-key done 5) Restart all the services systemctl restart httpd systemctl restart ovirt-engine systemctl restart ovirt-websocket-proxy systemctl restart ovirt-imageio-proxy The following step was to take the backup at 1) and fall back to the initial state because nothing worked as expected. There's any documented procedure about how to recreate Ovirt CA from scratch??