Hello,

On Tue, Feb 1, 2022 at 8:46 AM Yedidyah Bar David <didi@redhat.com> wrote:
On Mon, Jan 31, 2022 at 6:06 PM Diggy Mc <d03@bornfree.org> wrote:
>
> > On Sun, Jan 30, 2022 at 8:16 PM Diggy Mc <d03(a)bornfree.org&gt; wrote:
> >
> > If it's a certificate created by engine-setup for you, you can run
> > 'engine-setup' and it can recreate it for you. If you do not want to
> > update the system, you can run it with 'engine-setup --offline'.
> > Otherwise, if it's a certificate you got elsewhere, you should update
> > it manually, perhaps following some of the steps of the procedure to
> > replace the certificate - the one you followed originally.
> >
> > Good luck and best regards,
>
>
> It is the original certificate created during initial install/setup.  If possible, I would like to have another oVirt generated certificate without upgrading the engine's version. Where can I find instructions on how to do that?
>  What would be the pros and cons of generating my own self-signed certificate

Generally speaking, this is recommended. The main "con" is simply that it
requires some work and responsibility.

> with a longer validity period?

You already linked to the pki-renew page. This one links at several
bugs, which link to several patches, which (also) explain the reasoning,
also linking e.g. at:

https://www.thesslstore.com/blog/ssl-certificate-validity-will-be-limited-to-one-year-by-apples-safari-browser/
https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/

Latter is old, this one is newer (found by searching their site for "398 days"):

https://cabforum.org/2021/04/22/ballot-sc42-398-day-re-use-period/

>  Where can I find instructions on that?

https://www.ovirt.org/documentation/administration_guide/#appe-Red_Hat_Enterprise_Virtualization_and_SSL

Actually creating your own CA and signing certs with it is not in the
scope of this document. You can search the net and find several guides
on how to do that, or you can use the services of an existing CA -
letsencrypt is quite popular these days, being free (gratis).

>  Again, thanks for your help.

Good luck and best regards,
--
Didi

Unlike my predecessor, I not only lost my vmengine, I also lost the vdsm services on all hosts.
All seem to be hitting the same issue - read, the certs under  /etc/pki/vdsm/certs and /etc/pki/ovirt* all expired a couple of days ago.
As such, the hosted engine cannot go into global maintenance mode, preventing engine-setup --offline from running.
Two questions:
1. Is there any automated method to renew the vdsm certificates?
2. Assuming the previous answer is "no", assuming I'm somewhat versed in using openssl, how can I manually renew them?

Thanks,

Gilboa