[ovirt-users] Re: VDSM certs expired, manual renewal not working

To continue the troubleshooting, I believe there is mutual SSL between ovirt-engine and host so I think what I am missing is to put this new cert for ovirt-engine to use it as client cert auth. But where to put it? I noticed that generating the cert does not put it in /etc/pki/ovirt-engine/certs altho I am not sure if that is significant or not. I tried to manually replace the cert there named hostname.cer but it doesn't do anything. Where do host certs need to be stored on the ovirt-engine side? I also updated the libvirt-migrate cert which has it's own key and different CA but that didn't make a difference. Best regards On 10/03/2023 05:13, cen wrote: > Hi > > Our VDSM certs have expired, both hosts are unassigned and can't be > put into maintenance from UI. > > vdsm-client is not working, times out even with --insecure flag. Does > host and port need to be specified when run locally or should defaults > work? > > > Error in console events is: Get Host Capabilities Failed: PKIX path > validation failed... > > > I followed a RHV guide for this exact situation and generated new vdsm > certificate using the ovirt-engine CA. > > The new cert seems identical to the old one, everything matches > (algos, extensions, CA, CN, SAN etc) just new date. > > > After restarting libvirtd and vdsmd on the host with new cert in place > the host is still not reachable. > > However, error message is now slightly different: > > get Host Capabilities failed: Received fatal error: certificate_expired > > > Cert was replaced in the following locations: > > /etc/pki/vdsm/certs/vdsmcert.pem > > /etc/pki/vdsm/libvirt-spice/server-cert.pem > > /etc/pki/libvirt/clientcert.pem > > > Is there another location missing? What else can I try? > > > All help appreciated in advance >