Hi,

> certificate validation value in engine-setup
Do you mean expiration date on CA generated by ovirt?
Then I would look at (copied from bugzila):
> I found two places where the lifspan is hard coded in scripts: /usr/share/ovirt-engine/bin/pki-enroll-openssh-cert.sh /usr/share/ovirt-engine/bin/pki-enroll-request.sh
But changing files provided by the package has its own issues.

Rerunning setup-engine does not affect guest vms. It can ask you to restart/reload ovirt-manager (to read a new cert) but it should not cause any disruption to guest vms. Only user's/admins would need to relogion to webui.


On 4 November 2023 19:35:56 CET, LS CHENG <lsc.oraes@gmail.com> wrote:
Hi

I think I will stick with the default certificate 398 days rule. To renew the certificate automatically I am thinking to write a script and run engine-setup which will detect the certificate are close to expire such as following

          --== PKI CONFIGURATION ==--
         
          One or more of the certificates should be renewed, because they expire soon, or include an invalid expiry date, or they were created with validity period longer than 398 days, or do not include the subjectAltName extension, which can cause them to be rejected by recent browsers and up to date hosts.
          See https://www.ovirt.org/develop/release-management/features/infra/pki-renew/ for more details.
          Renew certificates? (Yes, No) [No]:



However I see a couple of problems
  1. engine-setup must be run with offline option because otherwise it will try to update the packages which I want to avoid, when offline is used do the VM running in the KVM hosts be stopped? Can this be done online? It is a pain if every time I need to renew the certificates I have to stop the entire virtualization environment.
  2. To script and run this process as a cron job can we run engine-setup non-interactively?

Thanks




On Sat, Nov 4, 2023 at 6:47 PM LS CHENG <lsc.oraes@gmail.com> wrote:
Hi 

Yes it is generated with engine-setup.

How do you extend the certificate validation value in engine-setup? (I am aware that browser can have problems with long duration certificates as explained in https://techbeacon.com/security/google-apple-mozilla-enforce-1-year-max-security-certifications)

Thanks

On Sat, Nov 4, 2023 at 6:39 PM Matej Dujava <ovirt@kocurkovo.cz> wrote:
Hi,

By self signed cert, you mean managed cert generated by ovirt itself (engine-setup)?

I found an issue https://bugzilla.redhat.com/show_bug.cgi?id=1824103 where it's mentioned that safari (maybe other browsers too) have problem with long self signed CA. Of it's not affecting your clients you can change values and regenerate cert by engine-setup.

You can always generate SSL cert by hand (openssl or cfssl ...) and replace it with following https://www.ovirt.org/documentation/administration_guide/#Replacing_the_Manager_CA_Certificate .


On 4 November 2023 14:18:26 CET, LS CHENG <lsc.oraes@gmail.com> wrote:
Hi again

Forgot to mention that I am using self signed certificates

Thank you



On Sat, Nov 4, 2023 at 2:07 PM LS CHENG <lsc.oraes@gmail.com> wrote:
Hi all

I am running Oracle Linux Virtualization Manager 4.4.

The default expiration length for apache.cer and websocket-proxy.cer is 1 year, is there a way to extend them to 10 years?

Thank you