Il giorno ven 14 gen 2022 alle ore 09:45 Martin Perina <mperina@redhat.com> ha scritto:
On Thu, Jan 13, 2022 at 4:53 PM Sandro Bonazzola <sbonazzo@redhat.com> wrote:
Il giorno gio 13 gen 2022 alle ore 15:34 Konstantin Shalygin < k0ste@k0ste.ru> ha scritto:
It's possible to get, may be from Postgres, the host certificate date? Engine run this check sometimes, but trigger this check seems impossible
Anybody? @Sandro please help
engine make check once per day and print to logs How can we run a manual check or see info in PostgreSQL database? This is required because the days until the end of the certificate's life expire, waiting for the next day in order to understand the result of deploying a new certificate is a strange situation
Maybe @Martin Perina <mperina@redhat.com> can assist?
Hi,
host certificates are not saved anywhere in the engine database, you need to go to the host itself to find out the expiration date. There are 2 options:
1. Directly on the host after connecting via SSH you can run below # openssl x509 -text -noout -in /etc/pki/vdsm/certs/vdsmcert.pem | grep -A2 Validity
2. Remotely using openssl you can run below # openssl s_client -showcerts -connect <HOST FQDN>:54321 | openssl x509 -text -noout | grep -A2 Validity
ovirt-engine performs certificate checks every day (can be configured using engine-config option CertificationValidityCheckTimeInHours) and it checks not only hosts certificates, but also the engine certificate and the engine CA certificate. This check produces following records in ovirt-engine audit log:
1. If the certificate has already expired then below audit log ALERT is created depending on the type of certificate - *Host ${VdsName} certification has expired at ${ExpirationDate}. Please renew the host's certification.* - *Engine's certification has expired at ${ExpirationDate}. Please renew the engine's certification.* - *Engine's CA certification has expired at ${ExpirationDate}.*
2. If the certificate is going to expire in less than 7 days, then below audit log ALERT is created depending on the type of certificate - *Host ${VdsName} certification is about to expire at ${ExpirationDate}. Please renew the host's certification.* - *Engine's certification is about to expire at ${ExpirationDate}. Please renew the engine's certification.* - *Engine's CA certification is about to expire at ${ExpirationDate}.*
3. If the certificate is going to expire in less than 30 days, then below audit log WARNING is created depending on the type of certificate - *Host ${VdsName} certification is about to expire at ${ExpirationDate}. Please renew the host's certification.* - *Engine's certification is about to expire at ${ExpirationDate}. Please renew the engine's certification.* - *Engine's CA certification is about to expire at ${ExpirationDate}.*
Regards, Martin
Martin, is this something which can fit in oVirt administration documentation? Konstantin, what's the purpose of getting the certificate's dates?
Thanks, k _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/3WK5CJYL3PXXCJ...
--
Sandro Bonazzola
MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV
Red Hat EMEA <https://www.redhat.com/>
sbonazzo@redhat.com <https://www.redhat.com/>
*Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.*
-- Martin Perina Manager, Software Engineering Red Hat Czech s.r.o.
-- Sandro Bonazzola MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV Red Hat EMEA <https://www.redhat.com/> sbonazzo@redhat.com <https://www.redhat.com/> *Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.*