Il giorno ven 14 gen 2022 alle ore 09:45 Martin Perina <mperina@redhat.com> ha scritto:


On Thu, Jan 13, 2022 at 4:53 PM Sandro Bonazzola <sbonazzo@redhat.com> wrote:


Il giorno gio 13 gen 2022 alle ore 15:34 Konstantin Shalygin <k0ste@k0ste.ru> ha scritto:
> It's possible to get, may be from Postgres, the host certificate date?
> Engine run this check sometimes, but trigger this check seems impossible

Anybody?
@Sandro please help

engine make check once per day and print to logs
How can we run a manual check or see info in PostgreSQL database? This is required because the days until the end of the certificate's life expire, waiting for the next day in order to understand the result of deploying a new certificate is a strange situation

Maybe @Martin Perina can assist?

Hi,

host certificates are not saved anywhere in the engine database, you need to go to the host itself to find out the expiration date. There are 2 options:

1. Directly on the host after connecting via SSH you can run below
    # openssl x509 -text -noout -in /etc/pki/vdsm/certs/vdsmcert.pem | grep -A2 Validity

2. Remotely using openssl you can run below
    # openssl s_client -showcerts -connect <HOST FQDN>:54321 | openssl x509 -text -noout | grep -A2 Validity


ovirt-engine performs certificate checks every day (can be configured using engine-config option CertificationValidityCheckTimeInHours) and it checks not only hosts certificates, but also the engine certificate and the engine CA certificate. This check produces following records in ovirt-engine audit log:

1. If the certificate has already expired then below audit log ALERT is created depending on the type of certificate
    - Host ${VdsName} certification has expired at ${ExpirationDate}. Please renew the host's certification.
    - Engine's certification has expired at ${ExpirationDate}. Please renew the engine's certification.
    - Engine's CA certification has expired at ${ExpirationDate}.

2. If the certificate is going to expire in less than 7 days, then below audit log ALERT is created depending on the type of certificate
    - Host ${VdsName} certification is about to expire at ${ExpirationDate}. Please renew the host's certification.
    - Engine's certification is about to expire at ${ExpirationDate}. Please renew the engine's certification.
    - Engine's CA certification is about to expire at ${ExpirationDate}.

3. If the certificate is going to expire in less than 30 days, then below audit log WARNING is created depending on the type of certificate
    - Host ${VdsName} certification is about to expire at ${ExpirationDate}. Please renew the host's certification.
    - Engine's certification is about to expire at ${ExpirationDate}. Please renew the engine's certification.
    - Engine's CA certification is about to expire at ${ExpirationDate}.

Regards,
Martin

Martin, is this something which can fit in oVirt administration documentation?
Konstantin, what's the purpose of getting the certificate's dates?
 

 


Thanks,
k
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/3WK5CJYL3PXXCJJQKLEQCQJG5X2YA3XV/


--

Sandro Bonazzola

MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV

Red Hat EMEA

sbonazzo@redhat.com   

Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.




--
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.


--

Sandro Bonazzola

MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV

Red Hat EMEA

sbonazzo@redhat.com   

Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.