Re: [Users] Certificates and PKI seem to be broken after yum update

18 Apr 2013

      I checked the .truststore on the ovirt engine, and it seems fine.

[root@reliant ovirt-engine]# ls -l .truststore
-rwxr-x---. 1 ovirt ovirt 918 Apr  6 21:56 .truststore

It's not zero bytes anyway.

It's also the same size as the .truststore in the ovirt engine backups.

[root@reliant ovirt-engine-backups]# find ./ -name .truststore -exec ls -l {} \;
-rwxr-x---. 1 ovirt ovirt 918 Aug 26  2012
./ovirt-engine-2013_03_23_03_09_09/ovirt-engine/.truststore
-rwxr-x---. 1 root root 918 Mar 24 12:42
./ovirt-engine-2013_03_24_11_15_19/ovirt-engine-2013_03_23_03_09_09/ovirt-engine/.truststore

I haven't looked at the installCA.sh script yet.

On Mon, Apr 8, 2013 at 2:58 AM, Alon Bar-Lev <alonbl@redhat.com> wrote:
...
This error means that the /etc/pki/ovirt-engine/.truststore is unreadable or does not contain the /etc/pki/ovirt-engine/ca.pem certificate.
Unfortunately, the pki administration is weak in current implementation, you can trace the installation script and checkout the calls to installCA.sh to how to reproduce, please note that password are encrypted in database using the private key locate in .keystore so if you are to re-generate anything remember to keep the engine private key.
However, if you succeed in login, the remaining problem you have is the .truststore permissions and/or content.
Regards,
Alon Bar-Lev.
----- Original Message -----
...
From: "Chris Smith" <whitehat237@gmail.com>
To: "Alon Bar-Lev" <alonbl@redhat.com>
Cc: Users@ovirt.org
Sent: Monday, April 8, 2013 9:46:46 AM
Subject: Re: [Users] Certificates and PKI seem to be broken after yum update
After setting the .keystore owner and group owner to ovirt, and
rebooting, I now have a new error in engine.log
2013-04-08 02:39:16,787 ERROR
[org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
(QuartzScheduler_Worker-95) Failed to decryptData must start with zero
2013-04-08 02:39:16,845 ERROR
[org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand]
(QuartzScheduler_Worker-95) XML RPC error in command
GetCapabilitiesVDS ( Vds: transporter ), the error was:
java.util.concurrent.ExecutionException:
java.lang.reflect.InvocationTargetException,
SunCertPathBuilderException: unable to find valid certification path
to requested target
Are there other files that may have been affected that I can also
correct ownership or permissions on?
On the host side, I get certificate unknown in vdsm.log
File "/usr/lib64/python2.7/ssl.py", line 305, in do_handshake
    self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
Thread-757809::ERROR::2013-04-08
02:44:05,424::SecureXMLRPCServer::73::root::(handle_error) client
('172.16.23.8', 54489)
Traceback (most recent call last):
  File "/usr/lib64/python2.7/SocketServer.py", line 582, in
process_request_thread
    self.finish_request(request, client_address)
  File "/usr/lib/python2.7/site-packages/vdsm/SecureXMLRPCServer.py",
line 66, in finish_request
    request.do_handshake()
  File "/usr/lib64/python2.7/ssl.py", line 305, in do_handshake
    self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
Is there a procedure for just re-establishing PKI and certs for the
engine and hosts?
On Sun, Apr 7, 2013 at 4:58 AM, Alon Bar-Lev <alonbl@redhat.com> wrote:
...
OK... you are running a very old version of engine (3.1).
The upgrade did not upgraded into 3.2, so nothing as far as I know should
have been changed.
But the .keystore permissions is owned by root now, so some other package
(maybe selinux-policy) changed permissions...
The simplest way to test is to:
# cp -a /etc/pki/ovirt-engine /etc/pki/ovirt-engine.backup1
# chown -R ovirt:ovirt /etc/pki/ovirt-engine
But if that file permissions was changed, I can only assume other files
were also changes...
Regards,
Alon
----- Original Message -----
...
From: "Chris Smith" <whitehat237@gmail.com>
To: "Alon Bar-Lev" <alonbl@redhat.com>
Cc: Users@ovirt.org
Sent: Sunday, April 7, 2013 11:51:17 AM
Subject: Re: [Users] Certificates and PKI seem to be broken after yum
update
I did a yum update and rebooted.
engine-upgrade was run on 24-March
When run now, it states that there are no updates available.
[root@reliant ~]# engine-upgrade
Loaded plugins: versionlock
Checking for updates... (This may take several minutes)
No updates available
[root@reliant ovirt-engine]# cat
ovirt-engine-upgrade_2013_03_24_12_04_06.log
2013-03-24 12:04:06::DEBUG::common_utils::585::root:: found existing
pgpass file, fetching DB host value
2013-03-24 12:04:06::DEBUG::common_utils::585::root:: found existing
pgpass file, fetching DB port value
2013-03-24 12:04:06::DEBUG::common_utils::585::root:: found existing
pgpass file, fetching DB admin value
2013-03-24 12:04:07::DEBUG::engine-upgrade::302::root:: Yum list updates
started
2013-03-24 12:04:07::DEBUG::engine-upgrade::273::root:: Yum unlock started
2013-03-24 12:04:07::DEBUG::engine-upgrade::285::root:: Yum unlock
completed successfully
2013-03-24 12:04:07::DEBUG::engine-upgrade::308::root:: Getting list
of packages to upgrade
2013-03-24 12:04:27::DEBUG::engine-upgrade::260::root:: Yum lock started
2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
command --> '/bin/rpm -q ovirt-engine'
2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
ovirt-engine-3.1.0-4.fc17.noarch
2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0
2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
command --> '/bin/rpm -q ovirt-engine-backend'
2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
ovirt-engine-backend-3.1.0-4.fc17.noarch
2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0
2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
command --> '/bin/rpm -q ovirt-engine-config'
2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
ovirt-engine-config-3.1.0-4.fc17.noarch
2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0
2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
command --> '/bin/rpm -q ovirt-engine-genericapi'
2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
ovirt-engine-genericapi-3.1.0-4.fc17.noarch
2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0
2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
command --> '/bin/rpm -q ovirt-engine-notification-service'
2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
ovirt-engine-notification-service-3.1.0-4.fc17.noarch
2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0
2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
command --> '/bin/rpm -q ovirt-engine-restapi'
2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
ovirt-engine-restapi-3.1.0-4.fc17.noarch
2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0
2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
command --> '/bin/rpm -q ovirt-engine-tools-common'
2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
ovirt-engine-tools-common-3.1.0-4.fc17.noarch
2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0
2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
command --> '/bin/rpm -q ovirt-engine-userportal'
2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
ovirt-engine-userportal-3.1.0-4.fc17.noarch
2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0
2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
command --> '/bin/rpm -q ovirt-engine-webadmin-portal'
2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
ovirt-engine-webadmin-portal-3.1.0-4.fc17.noarch
2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0
2013-03-24 12:04:27::DEBUG::common_utils::286::root:: cmd = /bin/rpm
-q ovirt-engine ovirt-engine-backend ovirt-engine-config
ovirt-engine-genericapi ovirt-engine-notification-service
ovirt-engine-restapi ovirt-engine-tools-common ovirt-engine-userportal
ovirt-engine-webadmin-portal >> /etc/yum/pluginconf.d/versionlock.list
2013-03-24 12:04:28::DEBUG::common_utils::291::root:: output =
2013-03-24 12:04:28::DEBUG::common_utils::292::root:: stderr =
2013-03-24 12:04:28::DEBUG::common_utils::293::root:: retcode = 0
2013-03-24 12:04:28::DEBUG::engine-upgrade::270::root:: Yum lock
completed successfully
2013-03-24 12:04:28::DEBUG::engine-upgrade::320::root:: No packages
marked for update
2013-03-24 12:04:28::DEBUG::engine-upgrade::324::root:: Installed
packages:
2013-03-24 12:04:28::DEBUG::engine-upgrade::325::root::
['ovirt-engine-3.1.0-4.fc17.noarch',
'ovirt-engine-backend-3.1.0-4.fc17.noarch',
'ovirt-engine-config-3.1.0-4.fc17.noarch',
'ovirt-engine-dbscripts-3.1.0-4.fc17.noarch',
'ovirt-engine-genericapi-3.1.0-4.fc17.noarch',
'ovirt-engine-notification-service-3.1.0-4.fc17.noarch',
'ovirt-engine-restapi-3.1.0-4.fc17.noarch',
'ovirt-engine-setup-3.1.0-4.fc17.noarch',
'ovirt-engine-tools-common-3.1.0-4.fc17.noarch',
'ovirt-engine-userportal-3.1.0-4.fc17.noarch',
'ovirt-engine-webadmin-portal-3.1.0-4.fc17.noarch',
'ovirt-image-uploader-3.1.0-0.git9c42c8.fc17.noarch',
'ovirt-iso-uploader-3.1.0-0.git1841d9.fc17.noarch',
'ovirt-log-collector-3.1.0-0.git10d719.fc17.noarch',
'vdsm-bootstrap-4.10.0-13.fc17.noarch']
2013-03-24 12:04:28::DEBUG::engine-upgrade::327::root:: Yum list
updated completed successfully
2013-03-24 12:04:28::DEBUG::engine-upgrade::609::root:: No updates
available
Here's what's installed.
[root@reliant yum.repos.d]# yum list installed | grep ovirt
ovirt-engine.noarch                    3.1.0-4.fc17
 @ovirt-stable
ovirt-engine-backend.noarch            3.1.0-4.fc17
 @ovirt-stable
ovirt-engine-cli.noarch                3.2.0.5-1.fc17
@updates
ovirt-engine-config.noarch             3.1.0-4.fc17
 @ovirt-stable
ovirt-engine-dbscripts.noarch          3.1.0-4.fc17
 @ovirt-stable
ovirt-engine-genericapi.noarch         3.1.0-4.fc17
 @ovirt-stable
ovirt-engine-notification-service.noarch
                                       3.1.0-4.fc17
 @ovirt-stable
ovirt-engine-restapi.noarch            3.1.0-4.fc17
 @ovirt-stable
ovirt-engine-sdk.noarch                3.2.0.2-1.fc17
@updates
ovirt-engine-setup.noarch              3.1.0-4.fc17
 @ovirt-stable
ovirt-engine-tools-common.noarch       3.1.0-4.fc17
 @ovirt-stable
ovirt-engine-userportal.noarch         3.1.0-4.fc17
 @ovirt-stable
ovirt-engine-webadmin-portal.noarch    3.1.0-4.fc17
 @ovirt-stable
ovirt-image-uploader.noarch            3.1.0-0.git9c42c8.fc17
 @ovirt-stable
ovirt-iso-uploader.noarch              3.1.0-0.git1841d9.fc17
 @ovirt-stable
ovirt-log-collector.noarch             3.1.0-0.git10d719.fc17
 @ovirt-stable
ovirt-release-fedora.noarch            4-2
 @/ovirt-release-fedora.noarch
On Sun, Apr 7, 2013 at 2:16 AM, Alon Bar-Lev <alonbl@redhat.com> wrote:
...
How exactly did you upgrade?
Usually yum upgrade will not touch ovirt-engine packages as it is in yum
version lock.
From which version to which version have you upgraded?
Have you run engine-upgrade utility?
If you did not, please run it.
If you did, please attach logs from
/var/log/ovirt-engine/ovirt-engine-upgrade*
Thanks!
----- Original Message -----
...
From: "Chris Smith" <whitehat237@gmail.com>
To: Users@ovirt.org
Sent: Sunday, April 7, 2013 5:09:46 AM
Subject: [Users] Certificates and PKI seem to be broken after yum
update
I have lost the ability to manage the hosts or VM's using ovirt
engine web interface after performing yum update on the ovirt-engine
host, and on one Fedora 17 host.  The data center is offline, and I
can't place the hosts into maintenance mode.  I don't think that there
are any actions I can perform in the web interface at all.
From the logs it seems that PKI is broken between the engine and the
hosts.
I am wondering how I can restore or re-generate all of the
certificates and get the hosts communicating with the ovirt-engine
again so that I can bring the data center back online.
I found this page which deals with changing the engine hostname, and
thus re-creating the certificates and keystore on the ovirt-engine
node, and was wondering if this could help.  Could I follow this
process but keep the same hostname for the ovirt-engine node?
http://wiki.ovirt.org/How_to_change_engine_host_name
Currently I have 3 VM's running on two hosts.  The VM's are up, but I
can't do anything with them in ovirt-engine.
Here's the latest activity from engine.log from the ovirt-engine node:
2013-04-06 21:58:47,472 ERROR
[org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
(QuartzScheduler_Worker-61) Failed to
decryptjava.io.FileNotFoundException: /etc/pki/ovirt-engine/.keystore
(Permission denied)
2013-04-06 21:58:47,478 ERROR
[org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
(QuartzScheduler_Worker-62) Can't load keystore from file
"/etc/pki/ovirt-engine/.keystore".: java.io.FileNotFoundException:
/etc/pki/ovirt-engine/.keystore (Permission denied)
        at java.io.FileInputStream.open(Native Method)
        [rt.jar:1.7.0_09-icedtea]
        at java.io.FileInputStream.<init>(FileInputStream.java:138)
[rt.jar:1.7.0_09-icedtea]
        at
        org.ovirt.engine.core.engineencryptutils.EncryptionUtils.getKeyStore(EncryptionUtils.java:214)
[engine-encryptutils.jar:]
        at
        org.ovirt.engine.core.engineencryptutils.EncryptionUtils.decrypt(EncryptionUtils.java:139)
[engine-encryptutils.jar:]
        at
        org.ovirt.engine.core.dao.VdsStaticDAODbFacadeImpl.decryptPassword(VdsStaticDAODbFacadeImpl.java:139)
[engine-dal.jar:]
        at
        org.ovirt.engine.core.dao.VdsDAODbFacadeImpl$VdsRowMapper.mapRow(VdsDAODbFacadeImpl.java:253)
[engine-dal.jar:]
        at
        org.ovirt.engine.core.dao.VdsDAODbFacadeImpl$VdsRowMapper.mapRow(VdsDAODbFacadeImpl.java:169)
[engine-dal.jar:]
        at
        org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:92)
[spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
        at
        org.springframework.jdbc.core.JdbcTemplate$1.doInPreparedStatement(JdbcTemplate.java:653)
[spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
        at
        org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:591)
[spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
        at
        org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:641)
[spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
        at
        org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:670)
[spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
        at
        org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:702)
[spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
        at
        org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall.executeCallInternal(PostgresDbEngineDialect.java:155)
[engine-dal.jar:]
        at
        org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall.doExecute(PostgresDbEngineDialect.java:121)
[engine-dal.jar:]
        at
        org.springframework.jdbc.core.simple.SimpleJdbcCall.execute(SimpleJdbcCall.java:164)
[spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
        at
        org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeImpl(SimpleJdbcCallsHandler.java:124)
[engine-dal.jar:]
        at
        org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeReadAndReturnMap(SimpleJdbcCallsHandler.java:75)
[engine-dal.jar:]
        at
        org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeReadList(SimpleJdbcCallsHandler.java:66)
[engine-dal.jar:]
        at
        org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeRead(SimpleJdbcCallsHandler.java:58)
[engine-dal.jar:]
        at
        org.ovirt.engine.core.dao.VdsDAODbFacadeImpl.get(VdsDAODbFacadeImpl.java:36)
[engine-dal.jar:]
        at
        org.ovirt.engine.core.dao.VdsDAODbFacadeImpl.get(VdsDAODbFacadeImpl.java:31)
[engine-dal.jar:]
        at
        org.ovirt.engine.core.vdsbroker.VdsManager$1.runInTransaction(VdsManager.java:219)
[engine-vdsbroker.jar:]
        at
        org.ovirt.engine.core.utils.transaction.TransactionSupport.executeInSuppressed(TransactionSupport.java:168)
[engine-utils.jar:]
        at
        org.ovirt.engine.core.utils.transaction.TransactionSupport.executeInScope(TransactionSupport.java:107)
[engine-utils.jar:]
        at
        org.ovirt.engine.core.vdsbroker.VdsManager.OnTimer(VdsManager.java:215)
[engine-vdsbroker.jar:]
        at sun.reflect.GeneratedMethodAccessor13.invoke(Unknown
Source) [:1.7.0_09-icedtea]
        at
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_09-icedtea]
        at java.lang.reflect.Method.invoke(Method.java:601)
[rt.jar:1.7.0_09-icedtea]
        at
        org.ovirt.engine.core.utils.timer.JobWrapper.execute(JobWrapper.java:64)
[engine-scheduler.jar:]
        at org.quartz.core.JobRunShell.run(JobRunShell.java:213)
        [quartz.jar:]
        at
        org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)
[quartz.jar:]
2013-04-06 21:58:47,576 ERROR
[org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand]
(QuartzScheduler_Worker-61) XML RPC error in command
GetCapabilitiesVDS ( Vds: defiant ), the error was:
java.util.concurrent.ExecutionException:
java.lang.reflect.InvocationTargetException,
SSLPeerUnverifiedException: peer not authenticated
2013-04-06 21:58:47,606 ERROR
[org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
(QuartzScheduler_Worker-62) Failed to
decryptjava.io.FileNotFoundException: /etc/pki/ovirt-engine/.keystore
(Permission denied)
2013-04-06 21:58:47,671 ERROR
[org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand]
(QuartzScheduler_Worker-62) XML RPC error in command
GetCapabilitiesVDS ( Vds: transporter ), the error was:
java.util.concurrent.ExecutionException:
java.lang.reflect.InvocationTargetException,
SSLPeerUnverifiedException: peer not authenticated
Here's the message I seem to get over and over on the fedora 17 host in
vdsm.log
SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
Thread-562520::ERROR::2013-04-06
22:08:44,268::SecureXMLRPCServer::73::root::(handle_error) client
('172.16.23.8', 36127)
Traceback (most recent call last):
  File "/usr/lib64/python2.7/SocketServer.py", line 582, in
process_request_thread
    self.finish_request(request, client_address)
  File "/usr/lib/python2.7/site-packages/vdsm/SecureXMLRPCServer.py",
line 66, in finish_request
    request.do_handshake()
  File "/usr/lib64/python2.7/ssl.py", line 305, in do_handshake
    self._sslobj.do_handshake()
I'm also wondering about the permission denied on the .keystore
directory.  What should the permissions be?  Here's what they are
currently.
[root@reliant pki]# ls -ldZ /etc/pki/ovirt-engine/.keystore
-rwxr-x---. root root unconfined_u:object_r:cert_t:s0
/etc/pki/ovirt-engine/.keystore
I also seem to have a backup of the ovirt-engine directory at the time
the update was performed, but replacing ovirt-engine with the backup
does no good.
I appreciate any assistance, and please let me know what other
information I can post to help with this.
Thanks
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users