Hi,

Le 17/06/2022 à 12:18, Marko Vrgotic a écrit :

Dear Nathanael,

 

Thank you very much for you reply. Regarding host expiration playbook you wrote – my compliments – is it safe to run on host with expired certificates, or its rather meant to be executed for renewal of certs on hosts with still valid certs?

both are okay, in case of a host in "up" status, it will go down during the playbook execution, but vms will continue to run without any downtime. Host will recover and go up once certificates will be successfully renewed.

This is an emergency procedure, the best solution to renew a certificate on a running host is to put the host into maintenance and renew certs via UI.

 

We have also found following script which should at least safely take care of the renewal of certs on host with already expired certificates - .

https://github.com/tothf/renew_vdsm_cert/blob/main/renew_vdsm_cert.sh

 

-----

kind regards/met vriendelijke groeten

 

Marko Vrgotic
Sr. System Engineer @ System Administration


ActiveVideo

o: +31 (35) 6774131

m: +31 (65) 5734174

e: m.vrgotic@activevideo.com
w: www.activevideo.com

 

ActiveVideo Networks BV. Mediacentrum 3745 Joop van den Endeplein 1.1217 WJ Hilversum, The Netherlands. The information contained in this message may be legally privileged and confidential. It is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited.  If you have received this message in error, please immediately notify the sender and/or ActiveVideo Networks, LLC by telephone at +1 408.931.9200 and delete or destroy any copy of this message.

 

 

 

From: Nathanaël Blanchet <blanchet@abes.fr>
Date: Thursday, 16 June 2022 at 14:40
To: Marko Vrgotic <M.Vrgotic@activevideo.com>, users@ovirt.org <users@ovirt.org>
Subject: Re: [ovirt-users] oVirt 4.4.x step-by-step procedure to renew expired oVirt certificates

***CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender!!!***

Hello,

If you refer to:

  1. engine apache certificate expiration ("PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:) to access to ovirt console.
    => engine-setup --offline
  2. hosts certificate expiration?
    =>  https://access.redhat.com/solutions/3532921
    I also wrote a playbook to do so there: https://galaxy.ansible.com/natman/ovirt_renew_certs
    In this case, don't forget to renew certificate with UI (into maintenance) when host is reponding, otherwise you may enconter issues with console or live migration or other SSL related stuff.

tested and approved.

Le 16/06/2022 à 12:34, Marko Vrgotic a écrit :

Dear oVirt,

 

The oVirt SSL certificated were changed to one-year renewal and we have a problem now.

We are running 4.4.x version with SHE on local storage cluster and we have four more local storage clusters.

 

One the cluster running SHE, the engine and host certificates have expired. We found the procedure for renewal prior to expiration, but we do not have a mnual one, required once certificates have expired.

 

Would you be so kind to share the manual or steps needed to fix our oVirt setup.

 

Thank you in advance.

 

 

-----

kind regards/met vriendelijke groeten

 

Marko Vrgotic
Sr. System Engineer @ System Administration


ActiveVideo

o: +31 (35) 6774131

m: +31 (65) 5734174

e: m.vrgotic@activevideo.com
w: www.activevideo.com

 

ActiveVideo Networks BV. Mediacentrum 3745 Joop van den Endeplein 1.1217 WJ Hilversum, The Netherlands. The information contained in this message may be legally privileged and confidential. It is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited.  If you have received this message in error, please immediately notify the sender and/or ActiveVideo Networks, LLC by telephone at +1 408.931.9200 and delete or destroy any copy of this message.

 

 



_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5LOTLSGBZQAZQD7L76ZMGFALTHODKYKO/
-- 
Nathanaël Blanchet
 
Supervision réseau
SIRE
227 avenue Professeur-Jean-Louis-Viala
34193 MONTPELLIER CEDEX 5      
Tél. 33 (0)4 67 54 84 55
Fax  33 (0)4 67 54 84 14
blanchet@abes.fr
-- 
Nathanaël Blanchet

Supervision réseau
SIRE
227 avenue Professeur-Jean-Louis-Viala
34193 MONTPELLIER CEDEX 5 	
Tél. 33 (0)4 67 54 84 55
Fax  33 (0)4 67 54 84 14
blanchet@abes.fr