Following the above, I was seeing that OVN provider connectivity test was
failing due to some certificate issue and had to do the following to fix
it:
names="ovirt-provider-ovn"
subject="$(\
openssl x509 \
-in /etc/pki/ovirt-engine/certs/apache.cer \
-noout \
-subject | \
sed \
's;subject= \(.*\);\1;'
)"
. /usr/share/ovirt-engine/bin/engine-prolog.sh
for name in $names; do
/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh \
--name="${name}" \
--password=mypass \
--subject="${subject}" \
--keep-key \
--san=DNS:"${ENGINE_FQDN}"
done
Having fixed the above, when trying to connect two VMs on some OVN logical
switches it seems they are not able to reach each other.
I had previously added such logical switched at engine by running:
ovn-nbctl ls-add ovn-net0
ovn-nbctl ls-add ovn-net1
etc
Checking the logs at the host /var/log/openvswitch/ovsdb-server.log I see:
reconnect|WARN|unix#45: connection dropped (Connection reset by peer)
Also systemctl status ovirt-provider-ovn.service at engine shows:
/usr/lib/python2.7/site-packages/urllib3/connection.py:344:
SubjectAltNameWarning:...
I have restarted at engine both engine and ovn services:
systemctl restart ovirt-engine
systemctl status ovirt-provider-ovn.service
I have also restarted the relevant service at each host:
systemctl restart ovn-controller.service
When running at host the following it stucks and does not give any output:
ovn-sbctl show
I see that the certificate is imported at key-store as it has the same
fingerprint with the previous root CA:
keytool -list -alias ovirt-provider-ovn -keystore
/var/lib/ovirt-engine/external_truststore
At this same cluster, I had previously changed the domain name of each host
and engine using the rename tool.
And now replaced the certificates as per previous described so as to fix
the imageio cert issue and ovn issue.
It seems that OVN is not happy with the status of certificates.
When testing connection at engine GUI i get a prompt to trust the cert, and
when pressing ok i get a green confirmation of successful connection.
Is there anything else that can be done to fix OVN functionality?
Thanx
Alex
On Thu, Nov 19, 2020 at 9:00 AM Alex K <rightkicktech(a)gmail.com> wrote:
Seems that all services (imageio, ovn, web socket) are fine after
following the above and importing the new self signed CA certificate.
DId run also engine-setup as I was trying to fix the imageio cert issue,
though seems that that was only fixed after importing the CA cert at
browser and engine-setup might not be needed.
On Wed, Nov 18, 2020 at 3:07 PM Alex K <rightkicktech(a)gmail.com> wrote:
> Seems I had a typo at
> /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf.
> I will repeat the test to verify that all services are functional
> following this process.
>
> On Wed, Nov 18, 2020 at 10:24 AM Alex K <rightkicktech(a)gmail.com> wrote:
>
>> Hi all,
>>
>> I am trying to replace the ovirt certificate at ovirt 4.3 following
>> this:
>>
>>
>>
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.3/...
>>
>> I am doing the following:
>> I have engine FQDN: manager.lab.local
>>
>> 1. Create root CA private key:
>> openssl genrsa -des3 -out root.key 2048
>>
>> 2. Generate root certificate: (enter passphrase of root key)
>> openssl req -x509 -new -nodes -key root.key -sha256 -days 3650 -out
>> root.pem
>> cp root.pem /tmp
>>
>> 3. Create key and CSR for engine:
>> openssl genrsa -out manager.lab.local.key 2048
>> openssl req -new -out manager.lab.local.csr -key manager.lab.local.key
>>
>> 4. Generate a certificate for engine and sign with the root CA key:
>>
>> openssl x509 -req -in manager.lab.local.csr \
>> -CA root.pem \
>> -CAkey root.key \
>> -CAcreateserial \
>> -out manager.lab.local.crt \
>> -days 3650 \
>> -sha256 \
>> -extensions v3_req
>>
>> 5. Verify the trust chain and check the certificate details:
>> openssl verify -CAfile root.pem manager.lab.local.crt
>> openssl x509 -text -noout -in manager.lab.local.crt | head -15
>>
>> 6. Generate a P12 container: (with empty password)
>> openssl pkcs12 -export -out /tmp/apache.p12 \
>> -inkey manager.lab.local.key \
>> -in manager.lab.local.crt
>>
>> 8. Export key and cert:
>> openssl pkcs12 -in apache.p12 -nocerts -nodes > /tmp/apache.key
>> openssl pkcs12 -in apache.p12 -nokeys > /tmp/apache.cer
>>
>> From the above steps we should have the following:
>>
>> /tmp/root.pem
>> /tmp/apache.p12
>> /tmp/apache.key
>> /tmp/apache.cer
>>
>> 9. Place the certificates:
>> hosted-engine --set-maintenance --mode=global
>> cp -p /etc/pki/ovirt-engine/keys/apache.p12 /tmp/apache.p12.bck
>> cp /tmp/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12
>> cp /tmp/root.pem /etc/pki/ca-trust/source/anchors
>> update-ca-trust
>> rm /etc/pki/ovirt-engine/apache-ca.pem
>> cp /tmp/root.pem /etc/pki/ovirt-engine/apache-ca.pem
>>
>> Backup existing key and cert:
>> cp /etc/pki/ovirt-engine/keys/apache.key.nopass
>> /etc/pki/ovirt-engine/keys/apache.key.nopass.bck
>> cp /etc/pki/ovirt-engine/certs/apache.cer
>> /etc/pki/ovirt-engine/certs/apache.cer.bck
>> cp /tmp/apache.key /etc/pki/ovirt-engine/keys/apache.key.nopass
>> cp /tmp/apache.cer /etc/pki/ovirt-engine/certs/apache.cer
>> chown root:ovirt /etc/pki/ovirt-engine/keys/apache.key.nopass
>> chmod 640 /etc/pki/ovirt-engine/keys/apache.key.nopass
>> systemctl restart httpd.service
>>
>> 10. Create a new trust store configuration file:
>> vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
>>
>> ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
>> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
>>
>> 11. Edit /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf :
>> vi /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>>
>> SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
>> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>
>> 12. Edit /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf:
>> vi /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf
>>
>> # Key file for SSL connections
>> ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
>> # Certificate file for SSL connections
>> ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer
>>
>> 13. Import the certificate at system-wide java trust store
>>
>> update-ca-trust extract
>> keytool -list -alias ovirt -keystore /etc/pki/java/cacerts
>>
>> 14. Restart services:
>> systemctl restart httpd.service
>> systemctl restart ovirt-provider-ovn.service
>> systemctl restart ovirt-imageio-proxy
>> systemctl restart ovirt-websocket-proxy
>> systemctl restart ovirt-engine.service
>>
>> Following the above I get at engine GUI:
>>
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>> valid certification path to requested target
>>
>> I have tried also to run engine-setup in case it could fix anything (it
>> renewed the cert due to missing subjectAltName), and the above error still
>> persists.
>> I have tried several other suggestions from similar issues reported at
>> this list without any luck.
>> I have run out of ideas. Am I missing anything?
>> Thanx for any suggestions.
>> Alex
>>
>