On Fri, May 6, 2022 at 10:44 AM Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:

On Mon, May 2, 2022 at 6:02 PM <csabany@freemail.hu> wrote:
Hi,

LAst month a renewed our hosts certificates by the "Enroll certificates" method.
The "/etc/pki/vdsm/libvirt-vnc/server-cert.pem" certificate wasn't renewed on my nodes (other certificates were).

How can i renew this certificate too?

thanks
csabany

Actually I think this could be a bug in enrolling certificate job on hosts from web admin gui.
I'm having the same problem updating from downstream RHV 4.4.10-6 to 4.4.10-7 with RHV-H hosts and the enrolling of certificates takes in consideration these directories

/etc/pki/libvirt
/etc/pki/vdsm/certs
/etc/pki/vdsm/libvirt-migrate
/etc/pki/vdsm/libvirt-spice

But not:
/etc/pki/vdsm/libvirt-vnc

I think it could impact oVirt too.

In case Red Hat guys want to see logs of my RHV environment, I've opened the case 03212406 for this problem.

Gianluca

I forgot to say that the impact in my case is that due to this problem I can't live migrate VMs between the updated hosts, because the libvirt-vnc certificate of destination host is now expired...

and in logs of source host I get:

libvirt.libvirtError: internal error: process exited while connecting to monitor: 2022-05-05T07:31:25.922766Z qemu-kvm: The server certificate /etc/pki/vdsm/libvirt-vnc/server-cert.pem has expired

Perhaps is due to having graphics protocol: Spice+VNC in VM console configuration, so both certificates (spice and vnc) are checked before migration. Not sure

Gianluca