[ovirt-users] Re: Error virNetTLSContextLoadCertFromFile after upgrade from oVirt 4.2 to 4.3.4

On Tue, Jun 25, 2019 at 12:28 PM Stefano Danzi <s.danzi(a)hawai.it&gt; wrote: > > > > Il 25/06/2019 10:08, Yedidyah Bar David ha scritto: > > On Tue, Jun 25, 2019 at 10:26 AM Stefano Danzi <s.danzi(a)hawai.it&gt; wrote: > >> > >> > >> Il 25/06/2019 08:27, Yedidyah Bar David ha scritto: > >>> On Mon, Jun 24, 2019 at 7:56 PM Stefano Danzi <s.danzi(a)hawai.it&gt; wrote: > >>>> I've found that this issue is related to: > >>>> > >>>> https://bugzilla.redhat.com/show_bug.cgi?id=1648190 > >>> Are you sure? > >>> > >>> That bug is about an old cert, generated by an old version, likely > >>> before we fixed bug 1210486 (even though it's not mentioned in above > >>> bug). > >> Yes! Malformed "Not Before" date/time in certs > >> > >>>> But i've no idea how fix it.... > >>>> > >>>> Il 24/06/2019 18:19, Stefano Danzi ha scritto: > >>>>> I've just upgraded my test environment from ovirt 4.2 to 4.3.4. > >>> Was it installed as 4.2, or upgraded? From which first version? > >> I don't remember the first installed version. Maybe 4.0... I always > >> upgraded the original installation. > >> > >>>>> System has only one host (Centos 7.6.1810) and run a self hosted engine. > >>>>> > >>>>> After upgrade I'm not able to run vdsmd (and so hosted engine....) > >>>>> > >>>>> Above the error in log: > >>>>> > >>>>>    journalctl -xe > >>>>> > >>>>> -- L'unità libvirtd.service ha iniziato la fase di avvio. > >>>>> giu 24 18:09:17 ovirt01.hawai.lan libvirtd[8176]: 2019-06-24 > >>>>> 16:09:17.006+0000: 8176: info : libvirt version: 4.5.0, package: > >>>>> 10.el7_6.12 (CentOS BuildSystem <http://bugs.centos.org>;, > >>>>> 2019-06-20-15:01:15, x86-01.bsys. > >>>>> giu 24 18:09:17 ovirt01.hawai.lan libvirtd[8176]: 2019-06-24 > >>>>> 16:09:17.006+0000: 8176: info : hostname: ovirt01.hawai.lan > >>>>> giu 24 18:09:17 ovirt01.hawai.lan libvirtd[8176]: 2019-06-24 > >>>>> 16:09:17.006+0000: 8176: error : virNetTLSContextLoadCertFromFile:513 > >>>>> : Unable to import server certificate /etc/pki/vdsm/certs/vdsmcert.pem > >>> Did you check this file? Does it exist? > >>> > >>> ls -l /etc/pki/vdsm/certs/vdsmcert.pem > >>> > >>> Can vdsm user read it? > >>> > >>> su - vdsm -s /bin/bash -c 'cat /etc/pki/vdsm/certs/vdsmcert.pem > /dev/null' > >>> > >>> Please check/share output of: > >>> > >>> openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem -text > >>> > >>> Thanks and best regards, > >> vdsm can read vdsmcert. The problem is "Not Before" date: > >> > >> [root@ovirt01 ~]# su - vdsm -s /bin/bash -c 'openssl x509 -in > >> /etc/pki/vdsm/certs/vdsmcert.pem -text' > >> Certificate: > >>       Data: > >>           Version: 3 (0x2) > >>           Serial Number: 4102 (0x1006) > >>       Signature Algorithm: sha1WithRSAEncryption > >>           Issuer: C=US, O=hawai.lan, CN=ovirtbk-sheng.hawai.lan.63272 > >>           Validity > >>               Not Before: Feb  4 08:36:07 2015 > >>               Not After : Feb  4 08:36:07 2020 GMT > >> [CUT] > >> > >> > >> [root@ovirt01 ~]# su - vdsm -s /bin/bash -c 'openssl x509 -in > >> /etc/pki/vdsm/certs/cacert.pem -text' > >> Certificate: > >>       Data: > >>           Version: 3 (0x2) > >>           Serial Number: 4096 (0x1000) > >>       Signature Algorithm: sha1WithRSAEncryption > >>           Issuer: C=US, O=hawai.lan, CN=ovirtbk-sheng.hawai.lan.63272 > >>           Validity > >>               Not Before: Feb  4 00:06:25 2015 > >>               Not After : Feb  2 00:06:25 2025 GMT > >> > > OK :-( > > > > So it will be rather difficult to fix. > > > > You should have been prompted by engine-setup long ago to renew PKI, > > weren't you? And when you did, didn't you have to reinstall (or Re- > > Enroll Certificates, in later versions) all hosts? > > I don't remember to ever seen a question about this during engine-setup, > but it could be. > In /etc/pki/vdsm/certs/ I can see an old cert and ca with subjet: > > [root@ovirt01 ~]# su - vdsm -s /bin/bash -c 'openssl x509 -in > /etc/pki/vdsm/certs/cacert.pem.20150205093608 -text' > Certificate: >      Data: >          Version: 3 (0x2) >          Serial Number: 1423056193 (0x54d21d41) >      Signature Algorithm: sha256WithRSAEncryption >          Issuer: CN=VDSM Certificate Authority >          Validity >              Not Before: Feb  4 13:23:13 2015 GMT >              Not After : Feb  4 13:23:13 2016 GMT >          Subject: CN=VDSM Certificate Authority >          Subject Public Key Info: > > [CUT] > > [root@ovirt01 ~]# su - vdsm -s /bin/bash -c 'openssl x509 -in > /etc/pki/vdsm/certs/vdsmcert.pem.20150205093609 -text' > Certificate: >      Data: >          Version: 3 (0x2) >          Serial Number: 1423056193 (0x54d21d41) >      Signature Algorithm: sha256WithRSAEncryption >          Issuer: CN=VDSM Certificate Authority >          Validity >              Not Before: Feb  4 13:23:13 2015 GMT >              Not After : Feb  4 13:23:13 2016 GMT >          Subject: CN=ovirt01.hawai.lan, O=VDSM Certificate >          Subject Public Key Info: >              Public Key Algorithm: rsaEncryption > > > I think that was certs made during first hosted engine installation. > Could it work if I manually create certs like this? > Just to start libvirtd, vdsm and hosted-engine. I think it's worth a try. Just create a self-signed CA, a keypair signed by it, and place them correctly, should work. The engine won't be able to talk with the host, but you can then more easily reinstall/re-enroll-certs. Good luck, -- Didi _______________________________________________ Users mailing list -- users(a)ovirt.org To unsubscribe send an email to users-leave(a)ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/LBD33ESAF53...