Hi,
On Thu, Dec 15, 2022 at 3:29 PM Vinz Vinz <vk(a)itiviti.com> wrote:
Hi Team,
we are using a custom certificate on the engine apache GUI
/etc/pki/ovirt-engine/certs/apache.cer (following
https://myhomelab.gr/linux/2020/01/20/replacing_ovirt_ssl.html)
I didn't know this doc so far, and am sorry if the doc on
ovirt.org
(linked from it) is not enough. Patches/questions/issues are welcome!
I think it makes more sense to refine and perfect the "official"
documentation than to have each of us write his own blog post with a
"patch", unless it details specific/local issues that are not relevant
for a general document but would still be useful for other people.
and it works fine. The certificate is valid for a very long period.
(Good for maintenance minimization, not so good for security. But not
the scope of current email...)
It seems the vdsm certificate (/etc/pki/vdsm/certs/vdsmcert.pem), on hosts side, has been
renewed automatically at that time, but for only one year.
"at that time", meaning by following the official doc? Or the above
link? I didn't read it, but it does not mention "vdsm".
Perhaps it wasn't exactly at that time, but due to some other
update/action/whatever? You can try to correlate the cert start time
with your (engine+vdsm) logs.
Anyway, the hosts certs were indeed made shorter at some point, but
then back longer. So it greatly depends what exact version you used
while you touched them. See also this bug, and the linked patches:
https://bugzilla.redhat.com/show_bug.cgi?id=2079835
I think the previous point was:
https://bugzilla.redhat.com/show_bug.cgi?id=1824103
Meaning: Until 4.4.2 it was 1800 days, 4.4.3 to 4.5.0.6 it was 398
days, and since 4.5.0.7 it's 1827 days.
You should see a large part of the relevant history, even if I am not
sure all of it, but checking the git log of this file, searching for
"days". I usually search a somewhat-upper subdirectory, e.g.
"packaging" - good enough when searching locally with 'git log' (and
'less'), less convenient on a browser:
https://github.com/mz-pdm/ovirt-engine/commits/master/packaging/bin/pki-e...
Now we wonder, what will happen when the vdsm certificate will expire? hosts will stop
to be in the cluster?
Not sure, I think they'll become non-responsive.
Disclaimer: I am not an expert on engine<->vdsm comm.
if yes what should we do to avoid that?
The standard approach is to move each host to maintenance, then
"Enroll Cert" from the menu, then activate.
is there a possibility to also apply our custom cert as vdsm cert?
No.
This is for ovirt 4.4 running on rhel8
If 4.4 > 4.4.3, then indeed you got 398 days. But again, this isn't
part of the apache cert replacement procedure - more likely you did
'Enroll Cert', or reinstalled, or something like that.
Good luck,
--
Didi