Thursday, 11 January
2024
Thu, 11 Jan
'24
11:55 a.m.
This is the only place we found the answer we needed concerning how to sign a host key
from the engine! Saved our bacon!
The only tweak I would make is that there were a few more destinations at the end to copy
the files into, and instead of rebooting the host we found that just restarting vdsmd and
libvirtd got everything working without any existing VMs having to stop. Here's a
complete update of what you have above intermingling some extra bits for anyone who has to
do this in the future.
If the certs on your oVirt host expire, it can be a PITA to figure out how to fix it.
It's actually simple, but takes a LOT of manual work.
Make sure every part of every script makes sense as I made some modifications as I
documented it! I do not warrant that I didn't make a mistake somewhere. :)
########### On the ENGINE HOST ###########
## Check the CA Cert on the ENGINE
openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -dates
## If it is expired, then on the ENGINE, rebuild the CA Cert with this in a script:
## NOTE: these are steps from another post I didn't need to do them -- could be
dangerous...
```
set -x ## Make the script echo everything out, so if it fails you know where
set -e ## Make the script STOP on any error
set my_date="$(date +"%Y%m%d%H%M%S")"
# Backup the existing CA files
/bin/cp -p /etc/pki/ovirt-engine/private/ca.pem
/etc/pki/ovirt-engine/private/ca.pem.$my_date
/bin/cp -p /etc/pki/ovirt-engine/ca.pem{,.$my_date}
/bin/mv /etc/pki/ovirt-engine/certs/ca.der{,.$my_date}
# Sign the key
openssl x509 -signkey /etc/pki/ovirt-engine/private/ca.pem -in
/etc/pki/ovirt-engine/ca.pem -out /etc/pki/ovirt-engine/ca.pem.new -days 3650 -sha256
openssl x509 -in /etc/pki/ovirt-engine/ca.pem.new -text >
/etc/pki/ovirt-engine/ca.pem.new.full
# Put the files into place
/bin/mv -f /etc/pki/ovirt-engine/ca.pem.new.full /etc/pki/ovirt-engine/ca.pem
/bin/cp -p /etc/pki/ovirt-engine/ca.pem.new /etc/pki/ovirt-engine/certs/ca.der
```
Now you need to copy the new CA file over to the host:
Source: ENGINE `/etc/pki/ovirt-engine/ca.pem`
Dest: HOST `/tmp/new-ca.pem`
########### On the oVirt Host ###########
# Create a CSR using the information from the existing certificate and the existing key:
openssl x509 -x509toreq -in /etc/pki/libvirt/clientcert.pem -out /tmp/HOST.csr -signkey
/etc/pki/libvirt/private/clientkey.pem
Now you need to copy the new CA file over to the host:
Source: HOST `/tmp/HOST.csr`
Dest: ENGINE `/etc/pki/ovirt-engine/requests/full.hostname.com.req`
########### On the ENGINE HOST ###########
# Now sign it:
/usr/share/ovirt-engine/bin/pki-enroll-request.sh --name=full.hostname.com
# NB -- adding --san results in an error: --san=host.na.me (So no Subject Alternate
Names)
Now you need to copy the new Certificate file over to the host:
Source: ENGINE /etc/pki/ovirt-engine/certs/full.hostname.com.cer
Dest: HOST /tmp/new-cert.pem
########### On the oVirt Host ###########
Run this script to put the cert and CA in place. Note if you don't put a ca into
/tmp/new-ca.pem it skips that step.
```
set -x
set -e
set my_date="$(date +"%Y%m%d%H%M%S")"
for x in /etc/pki/libvirt/clientcert.pem /etc/pki/vdsm/certs/vdsmcert.pem
/etc/pki/vdsm/libvirt-migrate/server-cert.pem /etc/pki/vdsm/libvirt-spice/server-cert.pem
/etc/pki/vdsm/libvirt-vnc/server-cert.pem; do
/bin/mv -n $x ${x}.${mydate}
/bin/cp /tmp/new-cert.pem ${x}
chmod 644 ${x}
chown root:kvm ${x}
done
if -f /tmp/new-ca.pem; then
for x in /etc/pki/vdsm/libvirt-migrate/ca-cert.pem /etc/pki/vdsm/certs/cacert.pem
/etc/pki/vdsm/libvirt-vnc/ca-cert.pem /etc/pki/vdsm/libvirt-spice/ca-cert.pem
/etc/pki/CA/cacert.pem; do
/bin/mv -n $x ${x}.${mydate}
/bin/cp /tmp/new-ca.pem ${x}
chmod 644 ${x}
chown root:kvm ${x}
done
fi
```
Now you're ready to restart two vital services -- some people say "reboot the
host" -- but we found that unecessary. Running this restart was safe for us and
didn't cause any running VMs to crash or reboot -- they kept going without issue.
Once we did this, waited a few minutes, the host came back up on the engine and everything
was happy. Specifically a VM we were unable to get running was a click away from full
functionality again!
# Restart the two services affected by the key/cert changes
systemctl restart vdsmd libvirtd