11:45 a.m.
On Thu, Jan 13, 2022 at 4:53 PM Sandro Bonazzola <sbonazzo(a)redhat.com>
wrote:
Il giorno gio 13 gen 2022 alle ore 15:34 Konstantin Shalygin <
k0ste(a)k0ste.ru> ha scritto:
> > It's possible to get, may be from Postgres, the host certificate date?
> > Engine run this check sometimes, but trigger this check seems impossible
>
> Anybody?
> @Sandro please help
>
> engine make check once per day and print to logs
> How can we run a manual check or see info in PostgreSQL database? This is
> required because the days until the end of the certificate's life expire,
> waiting for the next day in order to understand the result of deploying a
> new certificate is a strange situation
>
Maybe @Martin Perina <mperina(a)redhat.com> can assist?
Hi,
host certificates are not saved anywhere in the engine database, you need
to go to the host itself to find out the expiration date. There are 2
options:
1. Directly on the host after connecting via SSH you can run below
# openssl x509 -text -noout -in /etc/pki/vdsm/certs/vdsmcert.pem | grep
-A2 Validity
2. Remotely using openssl you can run below
# openssl s_client -showcerts -connect <HOST FQDN>:54321 | openssl x509
-text -noout | grep -A2 Validity
ovirt-engine performs certificate checks every day (can be configured using
engine-config option CertificationValidityCheckTimeInHours) and it checks
not only hosts certificates, but also the engine certificate and the engine
CA certificate. This check produces following records in ovirt-engine audit
log:
1. If the certificate has already expired then below audit log ALERT is
created depending on the type of certificate
- *Host ${VdsName} certification has expired at ${ExpirationDate}.
Please renew the host's certification.*
- *Engine's certification has expired at ${ExpirationDate}. Please
renew the engine's certification.*
- *Engine's CA certification has expired at ${ExpirationDate}.*
2. If the certificate is going to expire in less than 7 days, then below
audit log ALERT is created depending on the type of certificate
- *Host ${VdsName} certification is about to expire at
${ExpirationDate}. Please renew the host's certification.*
- *Engine's certification is about to expire at ${ExpirationDate}.
Please renew the engine's certification.*
- *Engine's CA certification is about to expire at ${ExpirationDate}.*
3. If the certificate is going to expire in less than 30 days, then below
audit log WARNING is created depending on the type of certificate
- *Host ${VdsName} certification is about to expire at
${ExpirationDate}. Please renew the host's certification.*
- *Engine's certification is about to expire at ${ExpirationDate}.
Please renew the engine's certification.*
- *Engine's CA certification is about to expire at ${ExpirationDate}.*
Regards,
Martin
>
>
> Thanks,
> k
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3WK5CJYL3PX...
>
--
Sandro Bonazzola
MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV
Red Hat EMEA <https://www.redhat.com/>
sbonazzo(a)redhat.com
<https://www.redhat.com/>
*Red Hat respects your work life balance. Therefore there is no need to
answer this email out of your office hours.*
--
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.