On Mon, Feb 1, 2016 at 7:10 PM, Marcelo Leandro <marceloltmm@gmail.com> wrote:
I copied wrong.
the authorityInfoAccess is not empty.
yes, i followed correctly.

attached cert.conf.

Ok, thanks.
But keyUsage = critical,${ENV::OVIRT_KU}
extendedKeyUsage = ${ENV::OVIRT_EKU}
still looks strage.

Can you please check what you had before the migration?

 

thanks



2016-02-01 14:25 GMT-03:00 Simone Tiraboschi <stirabos@redhat.com>:
> Thanks Marcelo,
> unfortunately I can confirm you that it's broken: ${ENV::OVIRT_EKU} didn't
> get correctly replaced and authorityInfoAccess is empty.
> Now we need to understand why it got generated this way, maybe something
> went wrong in the backup and restore procedure.
> Did you correctly followed this?
> http://www.ovirt.org/User:Adrian15/oVirt_engine_migration#Restore_Certificates
>
> thanks,
> Simone
>
>
> On Mon, Feb 1, 2016 at 5:49 PM, Marcelo Leandro <marceloltmm@gmail.com>
> wrote:
>>
>> Hello simone,
>>
>> yes,
>> it's here:
>>
>> RANDFILE = .rnd
>>
>> [req]
>>
>> default_bits = rsa:2048
>> default_keyfile = keys/cert.pem
>> distinguished_name = req_distinguished_name
>> attributes = req_attributes
>> x509_extensions = v3_ca
>>
>> [req_attributes]
>>
>> [v3_ca]
>>
>> subjectKeyIdentifier = hash
>> authorityInfoAccess =
>>
>> caIssuers;URI:http://srv-ovirt01:80/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
>> authorityKeyIdentifier = keyid:always,issuer:always
>> basicConstraints = CA:false
>> keyUsage = critical,digitalSignature,keyEncipherment
>> extendedKeyUsage = critical,serverAuth,clientAuth
>>
>> [custom]
>> subjectKeyIdentifier = hash
>> authorityInfoAccess =
>>
>> caIssuers;URI:http://srv-ovirt01:80/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
>> authorityKeyIdentifier = keyid:always,issuer:always
>> basicConstraints = CA:false
>> keyUsage = critical,${ENV::OVIRT_KU}
>> extendedKeyUsage = ${ENV::OVIRT_EKU}
>>
>> [req_distinguished_name]
>>
>>
>> Thanks.
>>
>> 2016-02-01 11:49 GMT-03:00 Simone Tiraboschi <stirabos@redhat.com>:
>> >
>> > On Mon, Feb 1, 2016 at 3:30 PM, Marcelo Leandro <marceloltmm@gmail.com>
>> > wrote:
>> >>
>> >> ERROR: on line 27 of config file 'cert.conf'
>> >> 139871306037152:error:0E065068:configuration file
>> >> routines:STR_COPY:variable has no value:conf_def.c:618:line 27
>> >> Cannot sign certificate
>> >
>> >
>> > This looks strange; can you please share the content of
>> > /etc/pki/ovirt-engine/cert.conf ?
>
>