One important note:

ln -sf /etc/pki/vdsm/libvirt-vnc/server-key.pem /etc/pki/vdsm/libvirt-migrate/client-key.pem
ln -sf /etc/pki/vdsm/libvirt-vnc/server-cert.pem /etc/pki/vdsm/libvirt-migrate/client-cert.pem

Enrol will fail if client-*.pem doesn't exist and/or is not a symbolic link.

- Gilboa

On Tue, Dec 27, 2022 at 5:29 AM dhanaraj.ramesh--- via Users <users@ovirt.org> wrote:
No worries, we call came across this issue.  As long as the hosted engine is running is Gluster, you can shutdown and bring up in any other nodes. Now in order for you to bring the node up in the cluster, you will have to manually replace the vdsm cert in each nodes, follow by re-enroll the certificate

the steps are

# To check CERT expired
# openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem -noout -dates

1. Backup vdsm folder
    # cd /etc/pki
    # mv vdsm vdsm.orig
    # mkdir vdsm   ; chown vdsm:kvm vdsm
    # cd vdsm
    # mkdir libvirt-vnc certs keys libvirt-spice libvirt-migrate
    # chown vdsm:kvm  libvirt-vnc certs keys libvirt-spice libvirt-migrate

2. Regenerate cert & keys
    # vdsm-tool configure --module certificates

3. Copy the cert to destination location
    chmod 440 /etc/pki/vdsm/keys/vdsmkey.pem
    chown root /etc/pki/vdsmcerts/*pem
    chmod 644 /etc/pki/vdsmcerts/*pem

    cp /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-spice/ca-cert.pem
    cp /etc/pki/vdsm/keys/vdsmkey.pem /etc/pki/vdsm/libvirt-spice/server-key.pem
    cp /etc/pki/vdsm/certs/vdsmcert.pem /etc/pki/vdsm/libvirt-spice/server-cert.pem

    cp /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-vnc/ca-cert.pem
    cp /etc/pki/vdsm/keys/vdsmkey.pem /etc/pki/vdsm/libvirt-vnc/server-key.pem 
    cp /etc/pki/vdsm/certs/vdsmcert.pem /etc/pki/vdsm/libvirt-vnc/server-cert.pem

    cp -p /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-migrate/ca-cert.pem
    cp -p /etc/pki/vdsm/keys/vdsmkey.pem /etc/pki/vdsm/libvirt-migrate/server-key.pem
    cp -p /etc/pki/vdsm/certs/vdsmcert.pem /etc/pki/vdsm/libvirt-migrate/server-cert.pem

    chown root:qemu /etc/pki/vdsm/libvirt-migrate/server-key.pem

    cp -p /etc/pki/vdsm.orig/keys/libvirt_password /etc/pki/vdsm/keys/

    mv /etc/pki/libvirt/clientcert.pem /etc/pki/libvirt/clientcert.pem.orig
    mv /etc/pki/libvirt/private/clientkey.pem /etc/pki/libvirt/private/clientkey.pem.orig
    mv /etc/pki/CA/cacert.pem /etc/pki/CA/cacert.pem.orig

    cp -p /etc/pki/vdsm/certs/vdsmcert.pem /etc/pki/libvirt/clientcert.pem
    cp -p /etc/pki/vdsm/keys/vdsmkey.pem /etc/pki/libvirt/private/clientkey.pem
    cp -p /etc/pki/vdsm/certs/cacert.pem /etc/pki/CA/cacert.pem


3. cross check the backup folder /etc/pki/vdsm.orig vs /etc/pki/vdsm
     # refer to /etc/pki/vdsm.orig/*/ and set the correct owner & group permission in /etc/pki/vdsm/*/

4. restart services # Make sure both services are up
    systemctl restart vdsmd libvirtd

5. reboot the node and confirm the host has been rebooted manually, and put the host in maintenance mode

6. enroll certificate. (DO NOT re-install), exit the maintenance mode


Cheers from Singapore.
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/XWS5LKNFTLH2A4ZJFOJFCW6ZZ6QBMNTS/