On 5/5/22 10:42, simon@justconnect.ie wrote:
Hi Jiri,
I understand the libvirt-vnc part of this thread but can you explain the following in more detail please:
"when you update also CA then
cp /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-vnc/ca-cert.pem"
sorry, it is probably not necessary. In my particular case I had expired engine.cer so I have regenerate it during engine-setup process. Then I enroll certificates on all hosts. After that I mentioned that migrations to some hosts fails. Qemu log shows 2022-05-02T13:55:05.987598Z qemu-kvm: Our own certificate /etc/pki/vdsm/libvirt-vnc/server-cert.pem failed validation against /etc/pki/vdsm/libvirt-vnc/ca-cert.pem: The certificate hasn't got a known issuer so I copied key, cert and also cacert.pem to libvirt-vnc which solves my issue.
When does /etc/pki/vdsm/certs/cacert.pem get updated (checked mine and it's 2021) if not by the 'Enroll Certificate' action?
I believe cacert could be updated during engine-setup process but I am not sure about this. In my case CA was not renewed openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -text Validity Not Before: Aug 30 14:45:05 2015 GMT Not After : Aug 28 14:45:05 2025 GMT so I have no idea why /etc/pki/vdsm/libvirt-vnc/server-cert.pem cannot be validated against /etc/pki/vdsm/libvirt-vnc/ca-cert.pem on host. Copying /etc/pki/vdsm/certs/cacert.pem to /etc/pki/vdsm/libvirt-vnc/ca-cert.pem solved this issue... Cheers, Jiri
Kind Regards
Simon... _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/HVT3KMVESR5ND7...