On Thu, Oct 22, 2015 at 2:29 PM, Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:
On Thu, Oct 22, 2015 at 2:15 PM, Simone Tiraboschi <stirabos@redhat.com> wrote:

2015-10-21 17:36:33 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:219 DIALOG:SEND       ### Please input VDSM certificate chain that matches certificate request, top is issuer
2015-10-21 17:36:33 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:219 DIALOG:SEND       ###
2015-10-21 17:36:33 DEBUG otopi.plugins.otopi.dialog.machine dialog.__logString:219 DIALOG:SEND       ### type '--=451b80dc-996f-432e-9e4f-2b29ef6d1141=--' in own line to mark end, '--=451b80dc-996f-ABORT-9e4f-2b29ef6d1141=--' aborts
2015-10-21 17:36:33 DEBUG otopi.context context._executeMethod:156 method exception
Traceback (most recent call last):
  File "/tmp/ovirt-xP0lq4KMou/pythonlib/otopi/context.py", line 146, in _executeMethod
    method['method']()
  File "/tmp/ovirt-xP0lq4KMou/otopi-plugins/ovirt-host-common/vdsm/pki.py", line 319, in _misc
    '\n\nPlease input VDSM certificate chain that '
  File "/tmp/ovirt-xP0lq4KMou/otopi-plugins/otopi/dialog/machine.py", line 207, in queryMultiString
    v = self._readline()
  File "/tmp/ovirt-xP0lq4KMou/pythonlib/otopi/dialog.py", line 263, in _readline
    raise IOError(_('End of file'))
IOError: End of file
2015-10-21 17:36:33 ERROR otopi.context context._executeMethod:165 Failed to execute stage 'Misc configuration': End of file
2015-10-21 17:36:33 DEBUG otopi.transaction transaction.abort:134 aborting 'Yum Transaction'
2015-10-21 17:36:33 INFO otopi.plugins.otopi.packagers.yumpackager yumpackager.info:95 Yum Performing yum transaction rollback
Loaded plugins: fastestmirror, langpacks

The issue seams to be there:
we have an input request on host-deploy to have somebody explicitly trusting the VDSM cert chain but of course, being an automated process, nobody will respond and so it failed.
Did you manually changed the engine cert or some others CA cert?

No.
The only thing is that I first ran
  hosted-engine --deploy
without putting the hostname of engine inside /etc/hosts of hypervisor and it failed (see my first mail of the thread), I think without doing anything (at least at engine VM level, I don't know if it created a cert...), but generating an answer file.

And then I ran, as you suggested (with the warning you noted) 
hosted-engine --deploy --config-append=answer_file

Inside log of first run (ovirt-hosted-engine-setup-20151021151938-j4hy5g.log) I see

2015-10-21 15:20:13 DEBUG otopi.plugins.ovirt_hosted_engine_setup.pki.vdsmpki plugin.execute:936 execut
e-output: ('/bin/openssl', 'x509', '-noout', '-text', '-in', '/etc/pki/vdsm/libvirt-spice/server-cert.p
em') stdout:
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=EN, L=Test, O=Test, CN=TestCA
        Validity
            Not Before: Oct 21 13:20:13 2015 GMT
            Not After : Oct 20 13:20:13 2018 GMT
        Subject: C=EN, L=Test, O=Test, CN=Test
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:bd:f8:d4:a0:87:9e:20:7f:71:12:8d:8e:90:e0:
...

Inside the run with answer file (ovirt-hosted-engine-setup-20151021170822-p1iv3y.log) I see
2015-10-21 17:08:22 DEBUG otopi.plugins.ovirt_hosted_engine_setup.pki.vdsmpki plugin.execute:936 execute-output: ('/bin/openssl', 'x509', '-noout', '-text', '-in', '/etc/pki/vdsm/libvirt-spice/server-cert.pem') stdout:
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=EN, L=Test, O=Test, CN=TestCA
        Validity
            Not Before: Oct 21 13:20:13 2015 GMT
            Not After : Oct 20 13:20:13 2018 GMT
        Subject: C=EN, L=Test, O=Test, CN=Test
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:bd:f8:d4:a0:87:9e:20:7f:71:12:8d:8e:90:e0:


Any particular file or section in log files to cross check?
I can also start from scratch in case.... just to be sure that I don't get into same problem, so that it can be useful to find it before...


I suspect that that host-deploy fails cause you have in place a leftover VDSM cert from the previous attempt which is still signed by your previous attempt engine and so it fails to match this new engine: on the second attempt hosted-engine-setup deployed again the engine appliance creating a new instance with different certs.

You could try to run on the host:

/bin/rm /etc/vdsm/vdsm.conf
/bin/rm /etc/pki/vdsm/*/*.pem
/bin/rm /etc/pki/CA/cacert.pem
/bin/rm /etc/pki/libvirt/*.pem
/bin/rm /etc/pki/libvirt/private/*.pem
vdsm-tool configure --force
systemctl restart vdsmd

than try to redeploy the host from the web-ui.
Hosted-engine configuration should be keep so it should work. To be sure simply reboot the host: if everything is fine the HA agent should restart your engine VM.
 
Thanks,
Gianluca