Hello

I have oVirt cluster with 25 hypervisors that has been running fine for a couple of years and today all of a sudden engine was getting ssl errors talking to the hypervisors. Error  in engine.log is:

2022-10-10 16:20:23,562-05 ERROR [org.ovirt.engine.core.vdsbroker.monitoring.HostMonitoring] (EE-ManagedThreadFactory-engineScheduled-Thread-47) [] Unable to RefreshCapabilities: VDSNetworkException: VDSGenericException: VDSNetworkException: Received fatal alert: unknown_ca

Certificates don't seem expired and I ran the command:

openssl x509 -noout -in /etc/pki/ovirt-engine/ca.pem -fingerprint

openssl x509 -noout -in /etc/pki/vdsm/certs/cacert.pem -fingerprint
# openssl x509 -noout -in /etc/pki/vdsm/libvirt-spice/ca-cert.pem -fingerprint
# openssl x509 -noout -in /etc/pki/vdsm/libvirt-vnc/ca-cert.pem -fingerprint
# openssl x509 -noout -in /etc/pki/CA/cacert.pem -fingerprint
Those commands show that the fingerprints are the same.
openssl verify -CAfile /etc/pki/ovirt-engine/ca.pem /etc/pki/ovirt-engine/certs/engine.cer
# openssl verify -CAfile /etc/pki/ovirt-engine/ca.pem /etc/pki/ovirt-engine/certs/apache.cer
# openssl verify -CAfile /etc/pki/ovirt-engine/ca.pem /etc/pki/ovirt-engine/certs/websocket-proxy.cer
# openssl verify -CAfile /etc/pki/ovirt-engine/ca.pem /etc/pki/ovirt-engine/certs/jboss.cer
# openssl verify -CAfile /etc/pki/ovirt-engine/ca.pem /etc/pki/ovirt-engine/certs/imageio-proxy.cer
# openssl verify -CAfile /etc/pki/ovirt-engine/ca.pem /etc/pki/ovirt-engine/certs/ovirt-provider-ovn.cer
These verification commands come back as OK. I am having trouble finding my problem. Does anyone have any suggestions? I am not finding any hits on google and unknown_ca.
Also the vdsm log on hypervisors has this:
2022-10-10 15:54:42,843-0500 ERROR (Reactor thread) [ProtocolDetector.SSLHandshakeDispatcher] ssl handshake: SSLError, address: ::ffff:192.168.50.26 (sslutils:263)
Thanks
Don