[ovirt-users] Re: Error virNetTLSContextLoadCertFromFile after upgrade from oVirt 4.2 to 4.3.4

> I don't remember to ever seen a question about this during engine-setup, > but it could be. > In /etc/pki/vdsm/certs/ I can see an old cert and ca with subjet: > > [root@ovirt01 ~]# su - vdsm -s /bin/bash -c 'openssl x509 -in > /etc/pki/vdsm/certs/cacert.pem.20150205093608 -text' > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1423056193 (0x54d21d41) > Signature Algorithm: sha256WithRSAEncryption > Issuer: CN=VDSM Certificate Authority > Validity > Not Before: Feb 4 13:23:13 2015 GMT > Not After : Feb 4 13:23:13 2016 GMT > Subject: CN=VDSM Certificate Authority > Subject Public Key Info: > > [CUT] > > [root@ovirt01 ~]# su - vdsm -s /bin/bash -c 'openssl x509 -in > /etc/pki/vdsm/certs/vdsmcert.pem.20150205093609 -text' > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1423056193 (0x54d21d41) > Signature Algorithm: sha256WithRSAEncryption > Issuer: CN=VDSM Certificate Authority > Validity > Not Before: Feb 4 13:23:13 2015 GMT > Not After : Feb 4 13:23:13 2016 GMT > Subject: CN=ovirt01.hawai.lan, O=VDSM Certificate > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > > > I think that was certs made during first hosted engine installation. > Could it work if I manually create certs like this? > Just to start libvirtd, vdsm and hosted-engine. I think it's worth a try. Just create a self-signed CA, a keypair signed by it, and place them correctly, should work. The engine won't be able to talk with the host, but you can then more easily reinstall/re-enroll-certs. Good luck,