[ovirt-users] Re: How to re-enroll (or renew) host certificates for a single-host hosted-engine deployment?

On Sun, Dec 6, 2020 at 12:34 AM Derek Atkins <derek(a)ihtfp.com&gt; wrote: > > Hi, > > I've got a single-host hosted-engine deployment that I originally > installed with 4.0 and have upgraded over the years to 4.3.10. I and > some > of my users have upgraded remote-viewer and now I get an error when I > try > to view the console of my VMs: > > (remote-viewer:8252): Spice-WARNING **: 11:30:41.806: > ../subprojects/spice-common/common/ssl_verify.c:477:openssl_verify: > Error > in server certificate verification: CA signature digest algorithm too > weak > (num=68:depth0:/O=<My Org Name>/CN=<Host's Name>) > > I am 99.99% sure this is because the old certs use SHA1. > > I reran engine-setup on the engine and it asked me if I wanted to renew > the PKI, and I answered yes. This replaced many[1] of the certificates > in > /etc/pki/ovirt-engine/certs on the engine, but it did not update the > Host's certificate. Indeed. > > All the documentation I've seen says that to refresh this certificate I > need to put the host into maintenance mode and then re-enroll.. However > I > cannot do that, because this is a single-host system so I cannot put the > host in local mode -- there is no place to migrate the VMs (let alone > the > Engine VM). > > So.... Is there a command-line way to re-enroll manually and update the > host certs? I don't think you'll find anything like this. People did come up in the past with various procedure to hack pki like what you want, but these are, generally speaking, quite fragile - usually do not get updated over versions etc. I am pretty certain the only way to do this using "official" tools/docs is: 1. Stop all VMs except for the engine one. 2. Take a backup with engine-backup. 3. Stop the engine VM. 4. Reinstall the host OS from scratch or use ovirt-hosted-engine-cleanup. 5. Provision the host again as a hosted-engine host, using '--restore-from-file'. Either using new storage for the engine, or after cleaning up the existing hosted-engine storage. If you still want to try doing this manually, then the tool to use is pki-enroll-request.sh. IIRC it's documented. You should find what keys/certs you want to replace, generate new keys and CSRs (or use existing keys and generate CSRs, or even use existing CSRs if you find them), copy to the engine, sign with pki-enroll-request.sh, then copy the generated cert to the host. I am almost certain there is no way to tell vdsm (and other processes) to reload the certs, so you'll have to restart it (them) - and this usually requires putting the host in maintenance (and therefore stop (migrate) all VMs). > Or some other way to get all the leftover certs renewed? Which ones, specifically? > > Thanks, > > -derek > > [1] Not only did it not update the Host's cert, it did not update any of > the vmconsole-proxy certs, nor the certs in /etc/pki/ovirt-vmconsole/, > and > obviously nothing in /etc/pki/ on the host itself. AFAIR no process uses these certs as such. There are only processes that use the ssh-format keys extracted from them, which do not include a signature (sha1 or whatever). If you think I am wrong, and/or notice other certs that need to be regenerated, that's a bug - please open one. Thanks! Re remote-viewer/spice: You didn't say if you tried again after engine-setup and what happened. In any case, this is unrelated to vmconsole (which is for serial consoles, using ssh). But you might still need to regenerate the host cert. BTW: You can try using novnc and websocket-proxy - engine-setup does update the cert for the latter, so this might work as-is. Best regards, -- Didi