8:01 a.m.
On Thu, Oct 22, 2015 at 2:29 PM, Gianluca Cecchi <gianluca.cecchi(a)gmail.com>
wrote:
On Thu, Oct 22, 2015 at 2:15 PM, Simone Tiraboschi
<stirabos(a)redhat.com>
wrote:
>
>> 2015-10-21 17:36:33 DEBUG otopi.plugins.otopi.dialog.machine
>> dialog.__logString:219 DIALOG:SEND ### Please input VDSM certificate
>> chain that matches certificate request, top is issuer
>> 2015-10-21 17:36:33 DEBUG otopi.plugins.otopi.dialog.machine
>> dialog.__logString:219 DIALOG:SEND ###
>> 2015-10-21 17:36:33 DEBUG otopi.plugins.otopi.dialog.machine
>> dialog.__logString:219 DIALOG:SEND ### type
>> '--=451b80dc-996f-432e-9e4f-2b29ef6d1141=--' in own line to mark end,
>> '--=451b80dc-996f-ABORT-9e4f-2b29ef6d1141=--' aborts
>> 2015-10-21 17:36:33 DEBUG otopi.context context._executeMethod:156
>> method exception
>> Traceback (most recent call last):
>> File "/tmp/ovirt-xP0lq4KMou/pythonlib/otopi/context.py", line 146,
in
>> _executeMethod
>> method['method']()
>> File
>> "/tmp/ovirt-xP0lq4KMou/otopi-plugins/ovirt-host-common/vdsm/pki.py",
line
>> 319, in _misc
>> '\n\nPlease input VDSM certificate chain that '
>> File "/tmp/ovirt-xP0lq4KMou/otopi-plugins/otopi/dialog/machine.py",
>> line 207, in queryMultiString
>> v = self._readline()
>> File "/tmp/ovirt-xP0lq4KMou/pythonlib/otopi/dialog.py", line 263, in
>> _readline
>> raise IOError(_('End of file'))
>> IOError: End of file
>> 2015-10-21 17:36:33 ERROR otopi.context context._executeMethod:165
>> Failed to execute stage 'Misc configuration': End of file
>> 2015-10-21 17:36:33 DEBUG otopi.transaction transaction.abort:134
>> aborting 'Yum Transaction'
>> 2015-10-21 17:36:33 INFO otopi.plugins.otopi.packagers.yumpackager
>> yumpackager.info:95 Yum Performing yum transaction rollback
>> Loaded plugins: fastestmirror, langpacks
>>
>
> The issue seams to be there:
> we have an input request on host-deploy to have somebody explicitly
> trusting the VDSM cert chain but of course, being an automated process,
> nobody will respond and so it failed.
> Did you manually changed the engine cert or some others CA cert?
>
> No.
The only thing is that I first ran
hosted-engine --deploy
without putting the hostname of engine inside /etc/hosts of hypervisor and
it failed (see my first mail of the thread), I think without doing anything
(at least at engine VM level, I don't know if it created a cert...), but
generating an answer file.
And then I ran, as you suggested (with the warning you noted)
hosted-engine --deploy --config-append=answer_file
Inside log of first run
(ovirt-hosted-engine-setup-20151021151938-j4hy5g.log) I see
2015-10-21 15:20:13 DEBUG
otopi.plugins.ovirt_hosted_engine_setup.pki.vdsmpki plugin.execute:936
execut
e-output: ('/bin/openssl', 'x509', '-noout', '-text',
'-in',
'/etc/pki/vdsm/libvirt-spice/server-cert.p
em') stdout:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=EN, L=Test, O=Test, CN=TestCA
Validity
Not Before: Oct 21 13:20:13 2015 GMT
Not After : Oct 20 13:20:13 2018 GMT
Subject: C=EN, L=Test, O=Test, CN=Test
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:bd:f8:d4:a0:87:9e:20:7f:71:12:8d:8e:90:e0:
...
Inside the run with answer file
(ovirt-hosted-engine-setup-20151021170822-p1iv3y.log) I see
2015-10-21 17:08:22 DEBUG
otopi.plugins.ovirt_hosted_engine_setup.pki.vdsmpki plugin.execute:936
execute-output: ('/bin/openssl', 'x509', '-noout',
'-text', '-in',
'/etc/pki/vdsm/libvirt-spice/server-cert.pem') stdout:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=EN, L=Test, O=Test, CN=TestCA
Validity
Not Before: Oct 21 13:20:13 2015 GMT
Not After : Oct 20 13:20:13 2018 GMT
Subject: C=EN, L=Test, O=Test, CN=Test
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:bd:f8:d4:a0:87:9e:20:7f:71:12:8d:8e:90:e0:
Any particular file or section in log files to cross check?
I can also start from scratch in case.... just to be sure that I don't get
into same problem, so that it can be useful to find it before...
I suspect that that host-deploy fails cause you have in place a leftover
VDSM cert from the previous attempt which is still signed by your previous
attempt engine and so it fails to match this new engine: on the second
attempt hosted-engine-setup deployed again the engine appliance creating a
new instance with different certs.
You could try to run on the host:
/bin/rm /etc/vdsm/vdsm.conf
/bin/rm /etc/pki/vdsm/*/*.pem
/bin/rm /etc/pki/CA/cacert.pem
/bin/rm /etc/pki/libvirt/*.pem
/bin/rm /etc/pki/libvirt/private/*.pem
vdsm-tool configure --force
systemctl restart vdsmd
than try to redeploy the host from the web-ui.
Hosted-engine configuration should be keep so it should work. To be sure
simply reboot the host: if everything is fine the HA agent should restart
your engine VM.
Thanks,
Gianluca