On Tue, Nov 14, 2023 at 10:49 AM <nicolas@devels.es> wrote:
Hi,

We're running oVirt 4.5.4, recently we got this alert:

   Engine's certification is about to expire at 2023-11-19. Please renew
the engine's certification.

So I'm trying to run:

   engine-setup --offline

However, it fails with the following error:

   [ INFO  ] Upgrading CA
   [ INFO  ] Renewing engine certificate
   [ ERROR ] Failed to execute stage 'Misc configuration': Command
'/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute

Digging into the logs I can see this:

   2023-11-14 08:36:22,848+0000 DEBUG
otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca plugin.execute:926
execute-output: ('/usr/share/ovirt-engine/bin/pki-enroll- pkcs12.sh',
'--name=engine', '--password=**FILTERED**',
'--subject=/C=US/O=stic.ull.es/CN=fqdn.es', '--san=DNS:fqdn.es',
'--keep-key') stderr:
   Ignoring -days; not generating a certificate
   /etc/pki/ovirt-engine/ca.pem is not on a local filesystem
   Cannot sign request

   2023-11-14 08:36:22,849+0000 DEBUG otopi.context
context._executeMethod:145 method exception
   Traceback (most recent call last):
     File "/usr/lib/python3.6/site-packages/otopi/context.py", line 132,
in _executeMethod
       method['method']()
     File
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
line 753, in _miscUpgrade
       self._enrollCertificates(True, uninstall_files)
     File
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
line 360, in _enrollCertificates
       shortLife=entry['shortLife'],
     File
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
line 250, in _enrollCertificate
       + (('--days=398',) if shortLife else ())
     File "/usr/lib/python3.6/site-packages/otopi/plugin.py", line 931,
in execute
       command=args[0],
   RuntimeError: Command
'/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute
   2023-11-14 08:36:22,852+0000 ERROR otopi.context
context._executeMethod:154 Failed to execute stage 'Misc configuration':
Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to
execute

However, the file exists and is on a local filesystem:

   # ll /etc/pki/ovirt-engine/ca.pem
   -rw-r--r--. 1 root root 4516 jun 24  2015 /etc/pki/ovirt-engine/ca.pem

This does not prove that it's on a local filesystem - can be on nfs, and nfs
locking is sometimes problematic, so we prevented that. See pki-enroll-request.sh.
 

Can someone shed some light about why is this failing and how to solve
it, please?

What output do you get for:
df -l /etc/pki/ovirt-engine/ca.pem
?

Best regards,
--
Didi