Re: [ovirt-users] expired cert for aaa

Hi Yedidyah, Attached are the setup logs, sorry for the delay. I checked all the backup certs, and the expiry dates were either in 2021 or 2026.

Regards, Cam On Tue, Nov 8, 2016 at 7:25 AM, Yedidyah Bar David <didi(a)redhat.com&gt; wrote: > > On Mon, Nov 7, 2016 at 9:15 PM, cmc <iucounu(a)gmail.com&gt; wrote: > > To reply to my own email: > > > > This is now fixed. > > > > I originally ran these steps for the upgrade: > > > > # yum install > > http://resources.ovirt.org/pub/yum-repo/ovirt-release40.rpm > > # yum update "ovirt-engine-setup*" > > # engine-setup > > > > There were no errors reported during the process. I could login as the > > internal user without any errors. It was just using an external > > provider, > > which made me think it was an aaa issue, so I looked > > at the certificate exported from AD which had an expiry of 2063. > > > > I tried running engine-setup again, and this fixed the issue. I have no > > idea > > what happened along the way, I will check the logs. I notice it reports: > > > > [ INFO ] Upgrading CA > > engine-setup always emits this message. You might find more details in the > setup logs regarding what it actually did. > > > > > so it looks like it creates a cert. Why it would have created one with > > such > > a short expiry date is a mystery to me. > > > > Hope this helps anyone who might come across this issue > > Thanks for the report! > > Can you please share both setup logs? Thanks. > > Also, most files should be backed up by engine-setup prior to being > changed/removed. So you can check the backups. E.g.: > > # openssl x509 -in /etc/pki/ovirt-engine/ca.pem.20160120160548 -noout > -enddate > notAfter=May 22 07:32:23 2025 GMT > # openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -enddate > notAfter=Mar 6 09:46:44 2026 GMT > > Or, > > find /etc/pki/ovirt-engine -name "*.cer*" -o -name "*.pem*" | while > read file; do echo $file $(openssl x509 -in $file -noout -enddate); > done > > Best, > -- > Didi