5:57 a.m.
On Tue, Jun 25, 2019 at 8:37 PM Stefano Danzi <s.danzi(a)hawai.it> wrote:
Il 25/06/2019 14:26, Stefano Danzi ha scritto:
>
>>> I don't remember to ever seen a question about this during
>>> engine-setup,
>>> but it could be.
>>> In /etc/pki/vdsm/certs/ I can see an old cert and ca with subjet:
>>>
>>> [root@ovirt01 ~]# su - vdsm -s /bin/bash -c 'openssl x509 -in
>>> /etc/pki/vdsm/certs/cacert.pem.20150205093608 -text'
>>> Certificate:
>>> Data:
>>> Version: 3 (0x2)
>>> Serial Number: 1423056193 (0x54d21d41)
>>> Signature Algorithm: sha256WithRSAEncryption
>>> Issuer: CN=VDSM Certificate Authority
>>> Validity
>>> Not Before: Feb 4 13:23:13 2015 GMT
>>> Not After : Feb 4 13:23:13 2016 GMT
>>> Subject: CN=VDSM Certificate Authority
>>> Subject Public Key Info:
>>>
>>> [CUT]
>>>
>>> [root@ovirt01 ~]# su - vdsm -s /bin/bash -c 'openssl x509 -in
>>> /etc/pki/vdsm/certs/vdsmcert.pem.20150205093609 -text'
>>> Certificate:
>>> Data:
>>> Version: 3 (0x2)
>>> Serial Number: 1423056193 (0x54d21d41)
>>> Signature Algorithm: sha256WithRSAEncryption
>>> Issuer: CN=VDSM Certificate Authority
>>> Validity
>>> Not Before: Feb 4 13:23:13 2015 GMT
>>> Not After : Feb 4 13:23:13 2016 GMT
>>> Subject: CN=ovirt01.hawai.lan, O=VDSM Certificate
>>> Subject Public Key Info:
>>> Public Key Algorithm: rsaEncryption
>>>
>>>
>>> I think that was certs made during first hosted engine installation.
>>> Could it work if I manually create certs like this?
>>> Just to start libvirtd, vdsm and hosted-engine.
>> I think it's worth a try. Just create a self-signed CA, a keypair
>> signed by it, and place them correctly, should work.
>>
>> The engine won't be able to talk with the host, but you can then more
>> easily reinstall/re-enroll-certs.
>>
>> Good luck,
> This workaround works!
> I have hosted engine running!
>
> So I have to find how reinstall/re-enroll-certs on host. From engine
> UI host status is "NonResponsive" and I can't do nothing....
> _______________________________________________
Status:
now Host status is "Unassiged". Engine can't reach host for "General
SSLEngine problem" and It's ok because certs are "home made".
I can't switch host to maintenance because it's not operational.
I can't enroll certificate because is not in maintenance status.
You can try to remove it. I think we do not support "force-remove"
despite being asked about this occasionally, because
generally-speaking, this is very unsafe. If you insist, you can try
using the sql function DeleteVds to delete it from the database.
hou I can enroll host cert manually?
You can try following what I wrote in "2. Try to manually fix" before.
Create a CSR on the host (with whatever private key you want), copy it
to engine, pki-enroll-request, copy the cert to host.
Good luck and best regards,
--
Didi