I ran engine-setup again, but the issue was still present. However, I found that by using a different browser (Firefox instead of Chrome), I did not get the error. I cleared the cookies in Chrome and the issue no longer occured. So it may well be a browser issue. Thanks, C On Thu, Nov 24, 2016 at 11:22 AM, cmc <iucounu@gmail.com> wrote:
Interestingly, I just got this same error again after I upgraded (I upgraded from 4.0.4 to 4.0.5 to fix the 'internal server error' bug that was fixed in 4.0.5)
server_error: The connection reader was unable to successfully complete TLS negotiation: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Fri Nov 04 00:19:18 GMT 2016 caused by java.security.cert.CertificateExpiredException: NotAfter: Fri Nov 04 00:19:18 GMT 2016
Shall I send the logs?
On Thu, Nov 24, 2016 at 10:55 AM, Yedidyah Bar David <didi@redhat.com> wrote:
On Thu, Nov 24, 2016 at 12:47 PM, cmc <iucounu@gmail.com> wrote:
Hi Yedidyah,
Attached are the setup logs, sorry for the delay. I checked all the backup certs, and the expiry dates were either in 2021 or 2026.
Sorry, no idea.
This means that all certs generated by engine-setup were ok.
Not sure what caused this message. If it happens again, please check the certificate's details, who issued/signed it etc.
Best,
Regards,
Cam
On Tue, Nov 8, 2016 at 7:25 AM, Yedidyah Bar David <didi@redhat.com>
On Mon, Nov 7, 2016 at 9:15 PM, cmc <iucounu@gmail.com> wrote:
To reply to my own email:
This is now fixed.
I originally ran these steps for the upgrade:
# yum install http://resources.ovirt.org/pub/yum-repo/ovirt-release40.rpm # yum update "ovirt-engine-setup*" # engine-setup
There were no errors reported during the process. I could login as
internal user without any errors. It was just using an external provider, which made me think it was an aaa issue, so I looked at the certificate exported from AD which had an expiry of 2063.
I tried running engine-setup again, and this fixed the issue. I have no idea what happened along the way, I will check the logs. I notice it reports:
[ INFO ] Upgrading CA
engine-setup always emits this message. You might find more details in
wrote: the the
setup logs regarding what it actually did.
so it looks like it creates a cert. Why it would have created one
with
such a short expiry date is a mystery to me.
Hope this helps anyone who might come across this issue
Thanks for the report!
Can you please share both setup logs? Thanks.
Also, most files should be backed up by engine-setup prior to being changed/removed. So you can check the backups. E.g.:
# openssl x509 -in /etc/pki/ovirt-engine/ca.pem.20160120160548 -noout -enddate notAfter=May 22 07:32:23 2025 GMT # openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -enddate notAfter=Mar 6 09:46:44 2026 GMT
Or,
find /etc/pki/ovirt-engine -name "*.cer*" -o -name "*.pem*" | while read file; do echo $file $(openssl x509 -in $file -noout -enddate); done
Best, -- Didi
-- Didi