Hi
I think I will stick with the default certificate 398 days rule. To renew
the certificate automatically I am thinking to write a script and
run engine-setup which will detect the certificate are close to expire such
as following
* --== PKI CONFIGURATION ==-- One or more of the
certificates should be renewed, because they expire soon, or include an
invalid expiry date, or they were created with validity period longer than
398 days, or do not include the subjectAltName extension, which can cause
them to be rejected by recent browsers and up to date hosts. See
https://www.ovirt.org/develop/release-management/features/infra/pki-renew/
<
https://www.ovirt.org/develop/release-management/features/infra/pki-renew...
for more details. Renew certificates? (Yes, No) [No]:*
However I see a couple of problems
1. engine-setup must be run with offline option because otherwise it
will try to update the packages which I want to avoid, when offline is used
do the VM running in the KVM hosts be stopped? Can this be done online? It
is a pain if every time I need to renew the certificates I have to stop the
entire virtualization environment.
2. To script and run this process as a cron job can we run engine-setup
non-interactively?
Thanks
On Sat, Nov 4, 2023 at 6:47 PM LS CHENG <lsc.oraes(a)gmail.com> wrote:
Hi
Yes it is generated with engine-setup.
How do you extend the certificate validation value in engine-setup? (I am
aware that browser can have problems with long duration certificates as
explained in
https://techbeacon.com/security/google-apple-mozilla-enforce-1-year-max-s...
)
Thanks
On Sat, Nov 4, 2023 at 6:39 PM Matej Dujava <ovirt(a)kocurkovo.cz> wrote:
> Hi,
>
> By self signed cert, you mean managed cert generated by ovirt itself
> (engine-setup)?
>
> I found an issue
https://bugzilla.redhat.com/show_bug.cgi?id=1824103 where
> it's mentioned that safari (maybe other browsers too) have problem with
> long self signed CA. Of it's not affecting your clients you can change
> values and regenerate cert by engine-setup.
>
> You can always generate SSL cert by hand (openssl or cfssl ...) and
> replace it with following
>
https://www.ovirt.org/documentation/administration_guide/#Replacing_the_M...
> .
>
>
> On 4 November 2023 14:18:26 CET, LS CHENG <lsc.oraes(a)gmail.com> wrote:
>
>> Hi again
>>
>> Forgot to mention that I am using self signed certificates
>>
>> Thank you
>>
>>
>>
>> On Sat, Nov 4, 2023 at 2:07 PM LS CHENG <lsc.oraes(a)gmail.com> wrote:
>>
>>> Hi all
>>>
>>> I am running Oracle Linux Virtualization Manager 4.4.
>>>
>>> The default expiration length for apache.cer and websocket-proxy.cer is
>>> 1 year, is there a way to extend them to 10 years?
>>>
>>> Thank you
>>>
>>>
>>>