[ovirt-users] Re: Error virNetTLSContextLoadCertFromFile after upgrade from oVirt 4.2 to 4.3.4

Il 25/06/2019 10:08, Yedidyah Bar David ha scritto: > On Tue, Jun 25, 2019 at 10:26 AM Stefano Danzi <s.danzi(a)hawai.it&gt; wrote: >> >> >> Il 25/06/2019 08:27, Yedidyah Bar David ha scritto: >>> On Mon, Jun 24, 2019 at 7:56 PM Stefano Danzi <s.danzi(a)hawai.it&gt; wrote: >>>> I've found that this issue is related to: >>>> >>>> https://bugzilla.redhat.com/show_bug.cgi?id=1648190 >>> Are you sure? >>> >>> That bug is about an old cert, generated by an old version, likely >>> before we fixed bug 1210486 (even though it's not mentioned in above >>> bug). >> Yes! Malformed "Not Before" date/time in certs >> >>>> But i've no idea how fix it.... >>>> >>>> Il 24/06/2019 18:19, Stefano Danzi ha scritto: >>>>> I've just upgraded my test environment from ovirt 4.2 to 4.3.4. >>> Was it installed as 4.2, or upgraded? From which first version? >> I don't remember the first installed version. Maybe 4.0... I always >> upgraded the original installation. >> >>>>> System has only one host (Centos 7.6.1810) and run a self hosted engine. >>>>> >>>>> After upgrade I'm not able to run vdsmd (and so hosted engine....) >>>>> >>>>> Above the error in log: >>>>> >>>>> journalctl -xe >>>>> >>>>> -- L'unità libvirtd.service ha iniziato la fase di avvio. >>>>> giu 24 18:09:17 ovirt01.hawai.lan libvirtd[8176]: 2019-06-24 >>>>> 16:09:17.006+0000: 8176: info : libvirt version: 4.5.0, package: >>>>> 10.el7_6.12 (CentOS BuildSystem <http://bugs.centos.org>;, >>>>> 2019-06-20-15:01:15, x86-01.bsys. >>>>> giu 24 18:09:17 ovirt01.hawai.lan libvirtd[8176]: 2019-06-24 >>>>> 16:09:17.006+0000: 8176: info : hostname: ovirt01.hawai.lan >>>>> giu 24 18:09:17 ovirt01.hawai.lan libvirtd[8176]: 2019-06-24 >>>>> 16:09:17.006+0000: 8176: error : virNetTLSContextLoadCertFromFile:513 >>>>> : Unable to import server certificate /etc/pki/vdsm/certs/vdsmcert.pem >>> Did you check this file? Does it exist? >>> >>> ls -l /etc/pki/vdsm/certs/vdsmcert.pem >>> >>> Can vdsm user read it? >>> >>> su - vdsm -s /bin/bash -c 'cat /etc/pki/vdsm/certs/vdsmcert.pem > /dev/null' >>> >>> Please check/share output of: >>> >>> openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem -text >>> >>> Thanks and best regards, >> vdsm can read vdsmcert. The problem is "Not Before" date: >> >> [root@ovirt01 ~]# su - vdsm -s /bin/bash -c 'openssl x509 -in >> /etc/pki/vdsm/certs/vdsmcert.pem -text' >> Certificate: >> Data: >> Version: 3 (0x2) >> Serial Number: 4102 (0x1006) >> Signature Algorithm: sha1WithRSAEncryption >> Issuer: C=US, O=hawai.lan, CN=ovirtbk-sheng.hawai.lan.63272 >> Validity >> Not Before: Feb 4 08:36:07 2015 >> Not After : Feb 4 08:36:07 2020 GMT >> [CUT] >> >> >> [root@ovirt01 ~]# su - vdsm -s /bin/bash -c 'openssl x509 -in >> /etc/pki/vdsm/certs/cacert.pem -text' >> Certificate: >> Data: >> Version: 3 (0x2) >> Serial Number: 4096 (0x1000) >> Signature Algorithm: sha1WithRSAEncryption >> Issuer: C=US, O=hawai.lan, CN=ovirtbk-sheng.hawai.lan.63272 >> Validity >> Not Before: Feb 4 00:06:25 2015 >> Not After : Feb 2 00:06:25 2025 GMT >> > OK :-( > > So it will be rather difficult to fix. > > You should have been prompted by engine-setup long ago to renew PKI, > weren't you? And when you did, didn't you have to reinstall (or Re- > Enroll Certificates, in later versions) all hosts? I don't remember to ever seen a question about this during engine-setup, but it could be. In /etc/pki/vdsm/certs/ I can see an old cert and ca with subjet: [root@ovirt01 ~]# su - vdsm -s /bin/bash -c 'openssl x509 -in /etc/pki/vdsm/certs/cacert.pem.20150205093608 -text' Certificate: Data: Version: 3 (0x2) Serial Number: 1423056193 (0x54d21d41) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=VDSM Certificate Authority Validity Not Before: Feb 4 13:23:13 2015 GMT Not After : Feb 4 13:23:13 2016 GMT Subject: CN=VDSM Certificate Authority Subject Public Key Info: [CUT] [root@ovirt01 ~]# su - vdsm -s /bin/bash -c 'openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem.20150205093609 -text' Certificate: Data: Version: 3 (0x2) Serial Number: 1423056193 (0x54d21d41) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=VDSM Certificate Authority Validity Not Before: Feb 4 13:23:13 2015 GMT Not After : Feb 4 13:23:13 2016 GMT Subject: CN=ovirt01.hawai.lan, O=VDSM Certificate Subject Public Key Info: Public Key Algorithm: rsaEncryption I think that was certs made during first hosted engine installation. Could it work if I manually create certs like this? Just to start libvirtd, vdsm and hosted-engine.