[ovirt-users] Re: Certificate expiration w/o warning on all clients. Cluster in zombie state

On Sun, Dec 25, 2022 at 5:15 PM Gilboa Davara <gilboad(a)gmail.com&gt; wrote: > > > > On Sun, Dec 25, 2022 at 12:37 PM Gilboa Davara <gilboad(a)gmail.com&gt; wrote: >> >> On Sun, Dec 25, 2022 at 12:36 PM Gilboa Davara <gilboad(a)gmail.com&gt; wrote: >>> >>> Hello all, >>> >>> Even though I do my best to keep track of the certificate issue date across my different clusters, I somehow missed the vdsm certificate expiration in one of my clusters. >>> Now I have an active cluster with multiple nodes (self-hosted / gluster storage), vdsm service is down on all nodes (due to certificate expiration) - hence, I cannot get the cluster into global maintenance mode (vdsms are down), and I cannot access my engine (to renew the engine certificates / re-enroll hosts). >>> How can manual renew the host certificate? >>> >>> Thanks, >>> Gilboa >> >> >> P.S. CentOS 8 Streams engine and host, ovirt v4.5.3 (I think). >> >> - Gilboa > > > Managed to find an old email in this group (that I saved...) > https://lists.ovirt.org/archives/list/users@ovirt.org/message/56QU2AD7YUX... > > This got the nodes working... but the engine (GRRR) still cannot connect to the nodes (I assume it has expired certs as well), hence, it cannot detect the cluster is in global maintenance mode, and cannot run engine-setup. > > Add issue https://github.com/oVirt/ovirt-engine/issues/784 Sorry, I do not follow. Is your immediate obstacle being that engine-setup refuses to continue, saying "Hosted Engine HA is in Global Maintenance mode."? You can cause it to ignore this test by passing 'OVESETUP_CONFIG/continueSetupOnHEVM=bool:True' (in the answer file or --otopi-environment). We recently added an option 'engine-setup --show-environment-documentation', exactly for this env key, see also: https://bugzilla.redhat.com/show_bug.cgi?id=1700460