9:30 a.m.
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--6srqPwiDoNgJCMhM5k3HBhW43FakwQb0c
Content-Type: multipart/mixed; boundary="0T6GsGDl9lswqG1oKhuTrenOACKCmepeH";
protected-headers="v1"
From: ~Stack~ <i.am.stack(a)gmail.com>
To: users <users(a)ovirt.org>
Message-ID: <d0bca9f6-2251-f865-436e-9e82b24333b1(a)gmail.com>
Subject: Re: oVirt management has lost its SSL.
References: <4db29c1e-4031-aece-e736-855879c5c023(a)gmail.com>
In-Reply-To: <4db29c1e-4031-aece-e736-855879c5c023(a)gmail.com>
--0T6GsGDl9lswqG1oKhuTrenOACKCmepeH
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Greetings,
Please, I would greatly appreciate some help/feedback. I'm not sure what
else to do.
I reverted the .trustedstore to the only backup I have, and there is one
key in it. That too gets flagged by oVirt as having been tampered with
(I'm guessing oVirt added something that isn't there any more). The
password is correct as I can verify it from the oVirt config file on the
command line.
I'm out of ideas on fixing this. What happens to my oVirt hypervisors
and VM's if I rebuild the management engine host from scratch?
Thanks!
~Stack~
On 11/02/2017 04:18 PM, ~Stack~ wrote:
Greetings,
=20
OS: Scientific Linux 7.4
oVirt: 4.1
Everything fully updated.
=20
Everything was working great. I received my new network card today to
upgrade my ovirt management node (physical node; not self-hosted), took=
the machine down, swapped the card, and brought it up to many many
erro=
rs.
=20
Here's the basic break-down of my discoveries.
=20
1) My /etc/pki/ovirt-engine/.trustedstore was corrupt. I had lots of
messages in my engine.log about it being corrupt. Restored from backup,=
and oVirt engine was really peeved for not having my domain cert in
it
(tons of messages in the engine.log file)...figured out how to add my
domain cert and it seemed OK. Which led me to...
=20
2) My /etc/pki/ovirt-engine/keys/engine.p12 and
/etc/pki/ovirt-engine/keys/apache.p12 are _gone_. Don't have them in my=
backups either. This results in a massive java dump when I try to
start=
the engine service.
=20
3) I noticed that I had
/etc/pki/ovirt-engine/keys/engine.p12.201711021302 which is a time stam=
p
corresponding to when I shut the node down. Then I noticed, that I
was
missing dang near EVERY file in /etc/pki/ovirt-engine but I had an
equivalent file with the ".201711021302" extension. So a touch of bash
and I copied all of my "*.201711021302" files with the proper
user/group/permissions into their base name. Hooray! No more errors in
the log files and all services start!!
=20
4) I open my web browser and head to my management host...and I get thi=
s
error:
Keystore was tampered with, or password was incorrect
=20
Well...yeah. I had to fix it in step one. :-/
=20
I'm not getting anything useful out of my Internet searching. I don't
know what went wrong or why, but my SSL is just borked.
=20
Any suggestions? Thoughts? Ideas?
=20
Is there a way to just blow away and start over with the SSL _without_
destroying the VM's (which fortunately they all seem to still be
functional!)?
=20
Any help would be greatly appreciated.
Thanks!
~Stack~
=20
=20
--0T6GsGDl9lswqG1oKhuTrenOACKCmepeH--
--6srqPwiDoNgJCMhM5k3HBhW43FakwQb0c
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJZ/H1qAAoJELkej+ysXJPmXykP/3Y9mC3+Mr5KUgqWZQdrw0n2
/YE9rSpIX1KsL2hx7MfNN3RRYNbRAU7bk6odB4nARS/LDyojuQouV9c931RyjlCr
xeI6uzmd8TiEjuNSQ6uNQC1YLNyBWXHlAF7qoSXunXPF1W6n81A8FzAc6fy7dbtF
gqymX/Exk9giS7/ybmEh0yZc8h2zNu0PeO8BjFp583444sXZ8Fd4SxHxCUPPcdKl
GqjIVXBEtSb/b6fQHc0Tl2gXxgKqeTieacfAv1zoyj4uH+U+s3RUo/Jl5BNPnR6G
Y5FeibVgh3kRV7WoJadYd8ZaVLa3NLSnuQIWQuP/qGrMNDt5hJZeURH2hCFFGWKc
nXxFoeswjhfb3MHqp6YQqUuoGg0cxAbjT8IVfpvv6qQd5RIu79Tb6kvOO2AyYRY3
07GwQIgWiiaJUrY6AsI/FpRdzIr3xTYwpsUHA6yD0rplrVke6nwH0Pmqz2IFdBcn
3J1vLWNRNG3F32lsARwRyohcV9blKagr8oU2H/Kin3rzJpewLfim4OGXQEHZ8xRz
2yVJW3DnN9rdYZID3EM37uE8B+VtBq83VNEzrx7zixycei/m1BnzoddpJYnzmFdY
ZFWwKvyN2bhw9R/TeWWsERViSRGSPdwGiYh8wr7mCA9OnUoxnLr8wF+CrTfVIysM
LPhXZIkHFhFjtX2y6rtb
=R70t
-----END PGP SIGNATURE-----
--6srqPwiDoNgJCMhM5k3HBhW43FakwQb0c--