[ovirt-users] Re: How-to get oVirt host certificated date

On 14 Jan 2022, at 11:45, Martin Perina <mperina(a)redhat.com&gt; wrote: Hi, host certificates are not saved anywhere in the engine database, you need to go to the host itself to find out the expiration date. There are 2 options: 1. Directly on the host after connecting via SSH you can run below # openssl x509 -text -noout -in /etc/pki/vdsm/certs/vdsmcert.pem | grep -A2 Validity 2. Remotely using openssl you can run below # openssl s_client -showcerts -connect <HOST FQDN>:54321 | openssl x509 -text -noout | grep -A2 Validity ovirt-engine performs certificate checks every day (can be configured using engine-config option CertificationValidityCheckTimeInHours) and it checks not only hosts certificates, but also the engine certificate and the engine CA certificate. This check produces following records in ovirt-engine audit log: 1. If the certificate has already expired then below audit log ALERT is created depending on the type of certificate - Host ${VdsName} certification has expired at ${ExpirationDate}. Please renew the host's certification. - Engine's certification has expired at ${ExpirationDate}. Please renew the engine's certification. - Engine's CA certification has expired at ${ExpirationDate}. 2. If the certificate is going to expire in less than 7 days, then below audit log ALERT is created depending on the type of certificate - Host ${VdsName} certification is about to expire at ${ExpirationDate}. Please renew the host's certification. - Engine's certification is about to expire at ${ExpirationDate}. Please renew the engine's certification. - Engine's CA certification is about to expire at ${ExpirationDate}. 3. If the certificate is going to expire in less than 30 days, then below audit log WARNING is created depending on the type of certificate - Host ${VdsName} certification is about to expire at ${ExpirationDate}. Please renew the host's certification. - Engine's certification is about to expire at ${ExpirationDate}. Please renew the engine's certification. - Engine's CA certification is about to expire at ${ExpirationDate}.