On Sun, Nov 22, 2020 at 9:11 AM Yedidyah Bar David <didi@redhat.com> wrote:

On Fri, Nov 20, 2020 at 1:37 PM Alex K <rightkicktech@gmail.com> wrote:
Following the above, I was seeing that OVN provider connectivity test was failing due to some certificate issue and had to do the following to fix it:

Is this on the same systems of "[ovirt-users] Fix corrupt self-hosted engine", or unrelated?

Yes, it is the same one.

names="ovirt-provider-ovn"

subject="$(\
openssl x509 \
-in /etc/pki/ovirt-engine/certs/apache.cer \
-noout \
-subject | \
sed \
's;subject= $.*$;\1;'
)"

. /usr/share/ovirt-engine/bin/engine-prolog.sh

for name in $names; do
/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh \
--name="${name}" \
--password=mypass \
--subject="${subject}" \
--keep-key \
--san=DNS:"${ENGINE_FQDN}"
done

Having fixed the above, when trying to connect two VMs on some OVN logical switches it seems they are not able to reach each other.
I had previously added such logical switched at engine by running:

ovn-nbctl ls-add ovn-net0
ovn-nbctl ls-add ovn-net1
etc

Checking the logs at the host /var/log/openvswitch/ovsdb-server.log I see:
reconnect|WARN|unix#45: connection dropped (Connection reset by peer)

Also systemctl status ovirt-provider-ovn.service at engine shows:
/usr/lib/python2.7/site-packages/urllib3/connection.py:344: SubjectAltNameWarning:...

I have restarted at engine both engine and ovn services:
systemctl restart ovirt-engine
systemctl status ovirt-provider-ovn.service

I have also restarted the relevant service at each host:
systemctl restart ovn-controller.service

When running at host the following it stucks and does not give any output:
ovn-sbctl show

I see that the certificate is imported at key-store as it has the same fingerprint with the previous root CA:

keytool -list -alias ovirt-provider-ovn -keystore /var/lib/ovirt-engine/external_truststore

At this same cluster, I had previously changed the domain name of each host and engine using the rename tool.

After that, did ovn still work well?

No. When clicking at the "test" button, I am prompted to accept self signed cert and then I receive a green check confirmation that all is good but when attaching two guest net ports on same OVN logicat switch the VMs are not able to communicate and was observing some SSL issues at OVN logs referring to subjAltName issues.

And now replaced the certificates as per previous described so as to fix the imageio cert issue and ovn issue.

It seems that OVN is not happy with the status of certificates.
When testing connection at engine GUI i get a prompt to trust the cert, and when pressing ok i get a green confirmation of successful connection.

Is there anything else that can be done to fix OVN functionality?

No idea, adding Dominik.

The cluster I am trying to fix was renamed at a previous point. I had to change the domain where the hosts and the engine belonged. Did that, with few hurdles (using the rename tool available at 4.3). That procedure left out the omageio and OVN certs which I want to resolve now as I need OVN to be able to setup test environment.

I checked also https://bugzilla.redhat.com/show_bug.cgi?id=1501798, and proceeded to generate new certs for ovn-ndb and ovn-sdb. Following this, and after running engine-setup I observed that the host had to be re-installed as per web UI prompt. I tried to, but host installation was not being completed due to "General SSLEngine problem". Tried also to renew the vdsm certs at the host, using same vdsm key and the new CA cert, but without luck. At that point I was receiving "Get Host Capabilities failed: Received fatal alert: unknown_ca" and the other host also became no-responsive. Generally I tried several things (even renewing at engine the engine.cer cert using the engine_id_rsa key at engine) but the host was refusing to install. So it seems that when a domain change is involved in the scenario, I have to include some additional steps to make the setup happy.

I had to roll-back the pki at its previous state so as to recover one host and re-install the other, as the site is production.

I have read that this the engine rename tool at 4.4 has several fixes and was thinking maybe I can use it at 4.3? Is it sth else that can be done to fix the vdsm cert issues or change the certs in a way to take into account the new domain name?

Best regards,

Thanx
Alex

On Thu, Nov 19, 2020 at 9:00 AM Alex K <rightkicktech@gmail.com> wrote:
Seems that all services (imageio, ovn, web socket) are fine after following the above and importing the new self signed CA certificate.
DId run also engine-setup as I was trying to fix the imageio cert issue, though seems that that was only fixed after importing the CA cert at browser and engine-setup might not be needed.

On Wed, Nov 18, 2020 at 3:07 PM Alex K <rightkicktech@gmail.com> wrote:
Seems I had a typo at /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf.
I will repeat the test to verify that all services are functional following this process.

On Wed, Nov 18, 2020 at 10:24 AM Alex K <rightkicktech@gmail.com> wrote:
Hi all,

I am trying to replace the ovirt certificate at ovirt 4.3 following this:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.3/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl

I am doing the following:
I have engine FQDN: manager.lab.local

1. Create root CA private key:
openssl genrsa -des3 -out root.key 2048

2. Generate root certificate: (enter passphrase of root key)
openssl req -x509 -new -nodes -key root.key -sha256 -days 3650 -out root.pem
cp root.pem /tmp

3. Create key and CSR for engine:
openssl genrsa -out manager.lab.local.key 2048
openssl req -new -out manager.lab.local.csr -key manager.lab.local.key

4. Generate a certificate for engine and sign with the root CA key:

openssl x509 -req -in manager.lab.local.csr \
-CA root.pem \
-CAkey root.key \
-CAcreateserial \
-out manager.lab.local.crt \
-days 3650 \
-sha256 \
-extensions v3_req

5. Verify the trust chain and check the certificate details:
openssl verify -CAfile root.pem manager.lab.local.crt
openssl x509 -text -noout -in manager.lab.local.crt | head -15

6. Generate a P12 container: (with empty password)
openssl pkcs12 -export -out /tmp/apache.p12 \
-inkey manager.lab.local.key \
-in manager.lab.local.crt

8. Export key and cert:
openssl pkcs12 -in apache.p12 -nocerts -nodes > /tmp/apache.key
openssl pkcs12 -in apache.p12 -nokeys > /tmp/apache.cer

From the above steps we should have the following:

/tmp/root.pem
/tmp/apache.p12
/tmp/apache.key
/tmp/apache.cer

9. Place the certificates:
hosted-engine --set-maintenance --mode=global
cp -p /etc/pki/ovirt-engine/keys/apache.p12 /tmp/apache.p12.bck
cp /tmp/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12
cp /tmp/root.pem /etc/pki/ca-trust/source/anchors
update-ca-trust
rm /etc/pki/ovirt-engine/apache-ca.pem
cp /tmp/root.pem /etc/pki/ovirt-engine/apache-ca.pem

Backup existing key and cert:
cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.bck
cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.bck
cp /tmp/apache.key /etc/pki/ovirt-engine/keys/apache.key.nopass
cp /tmp/apache.cer /etc/pki/ovirt-engine/certs/apache.cer
chown root:ovirt /etc/pki/ovirt-engine/keys/apache.key.nopass
chmod 640 /etc/pki/ovirt-engine/keys/apache.key.nopass
systemctl restart httpd.service

10. Create a new trust store configuration file:
vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf

ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""

11. Edit /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf :
vi /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf

SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass

12. Edit /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf:
vi /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf

# Key file for SSL connections
ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
# Certificate file for SSL connections
ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer

13. Import the certificate at system-wide java trust store

update-ca-trust extract
keytool -list -alias ovirt -keystore /etc/pki/java/cacerts

14. Restart services:
systemctl restart httpd.service
systemctl restart ovirt-provider-ovn.service
systemctl restart ovirt-imageio-proxy
systemctl restart ovirt-websocket-proxy
systemctl restart ovirt-engine.service

Following the above I get at engine GUI:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I have tried also to run engine-setup in case it could fix anything (it renewed the cert due to missing subjectAltName), and the above error still persists.
I have tried several other suggestions from similar issues reported at this list without any luck.
I have run out of ideas. Am I missing anything?
Thanx for any suggestions.
Alex

_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PKKBI7Y2RZBEOAEGVVTOLGLBFKFLGUM6/

--
Didi