7:25 p.m.
HI,
On Sun, December 6, 2020 7:44 am, Yedidyah Bar David wrote:
On Sun, Dec 6, 2020 at 12:34 AM Derek Atkins <derek(a)ihtfp.com>
wrote:
[snip]
> So.... Is there a command-line way to re-enroll manually and
update the
> host certs?
I don't think you'll find anything like this.
People did come up in the past with various procedure to hack pki like
what
you want, but these are, generally speaking, quite fragile - usually do
not
get updated over versions etc.
I am pretty certain the only way to do this using "official" tools/docs
is:
1. Stop all VMs except for the engine one.
2. Take a backup with engine-backup.
3. Stop the engine VM.
4. Reinstall the host OS from scratch or use ovirt-hosted-engine-cleanup.
5. Provision the host again as a hosted-engine host, using
'--restore-from-file'.
Either using new storage for the engine, or after cleaning up the existing
hosted-engine storage.
If I were to go this route I might as well upgrade to EL8 / 4.4 at the
same time. However, I would rather not do that; I consider that a very
dangerous operation, with a generally too-high probability of failure.
If you still want to try doing this manually, then the tool to use
is
pki-enroll-request.sh. IIRC it's documented. You should find what
keys/certs
you want to replace, generate new keys and CSRs (or use existing keys and
generate CSRs, or even use existing CSRs if you find them), copy to the
engine,
sign with pki-enroll-request.sh, then copy the generated cert to the host.
Thanks. I will look into this method.
I am
almost certain there is no way to tell vdsm (and other processes) to
reload
the certs, so you'll have to restart it (them) - and this usually
requires putting
the host in maintenance (and therefore stop (migrate) all VMs).
I don't mind stopping the VMs in order to reboot the host if I can plan
that. My understanding is that because there is no place to migrate the
hosted-engine, that implies even I stop all the other VMs, I still cannot
put the host into maintenance mode. Is my understanding correct?
> Or some other way to get all the leftover certs renewed?
Which ones, specifically?
I think I listed them all: <host>*.cer and vmconsole*.cer on the engine,
and of course everything on the host itself.
Does it matter that ca.der didn't change? I don't know if that is a
self-signed cert that might be problematic?
>
> Thanks,
>
> -derek
>
> [1] Not only did it not update the Host's cert, it did not update any of
> the vmconsole-proxy certs, nor the certs in /etc/pki/ovirt-vmconsole/,
> and
> obviously nothing in /etc/pki/ on the host itself.
AFAIR no process uses these certs as such. There are only processes that
use
the ssh-format keys extracted from them, which do not include a signature
(sha1 or whatever).
If you think I am wrong, and/or notice other certs that need to be
regenerated,
that's a bug - please open one. Thanks!
I have not noticed anything, yet, but I have not restarted the host or
vdsm since I re-ran engine-setup.
Re remote-viewer/spice: You didn't say if you tried again after
engine-setup
and what happened. In any case, this is unrelated to vmconsole (which is
for
serial consoles, using ssh). But you might still need to regenerate the
host
cert.
Sorry, I thought I did. Yes, I did try re-running remote-viewer after
running engine-setup. There was no change in the console.vv file (except
of course for the password and sso-token), so yes, it failed in the same
way.
Note, however, that I did not restart vdsm or the host after running
engine-setup.
BTW: You can try using novnc and websocket-proxy - engine-setup does
update
the cert for the latter, so this might work as-is.
Yes, that does work indeed, so as a short-term solution that can work for
me. I'll ask my colleague on a Mac if that works for him.
But it would be nice to get remote-viewer working, IMHO, which would
require a way to renew / refresh the host cert -- which of course would be
nice to do without having to re-install!
Thanks!!!
Best regards,
--
Didi
-derek
--
Derek Atkins 617-623-3745
derek(a)ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant