I solved the problem, The problem seemed to be with the certs on the engine
in /etc/pki/ovirt-engine/certs. I ended up signing the .cer files using
pki-enroll-pkcs12.sh. I followed the directions in this link
https://ovirt.massopen.cloud/ovirt-engine/docs/Upgrade_Guide/Replacing_SH....
My certs were already in sha256 format, but now at least I can get all
green on my hosts and do what I need to do from the engine.
Don
On Tue, Jul 26, 2022 at 6:50 PM Don Dupuis <dondster(a)gmail.com> wrote:
Hello
I have an environment with quite a lot of hosts using local storage
domains. The engine and hosts cert expired. I ran engine-setup on the
ovirt-engine so that the engine cert would get updated and then followed
this
https://access.redhat.com/solutions/3532921 to manually update the
hosts certs so that hopefully the engine can talk to vdsm and then carry
out the cert enrollment process, but no luck. I am getting is error in
vdsm.log:
2022-07-26 18:32:12,743-0500 INFO (Reactor thread)
[ProtocolDetector.AcceptorImpl] Accepted connection from ::ffff:
192.168.50.26:58194 (protocoldetector:61)
2022-07-26 18:32:12,760-0500 ERROR (Reactor thread)
[ProtocolDetector.SSLHandshakeDispatcher] ssl handshake: SSLError, address:
::ffff:192.168.50.26 (sslutils:263)
and the engine.log:
2022-07-26 03:30:13,242-05 INFO
[org.ovirt.vdsm.jsonrpc.client.reactors.ReactorClient] (SSL Stomp Reactor)
[] Connecting to host01/192.168.50.72
2022-07-26 03:30:13,257-05 ERROR
[org.ovirt.vdsm.jsonrpc.client.reactors.Reactor] (SSL Stomp Reactor) []
Unable to process messages General SSLEngine problem
2022-07-26 03:30:13,260-05 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(EE-ManagedThreadFactory-engineScheduled-Thread-12) [] EVENT_ID:
VDS_BROKER_COMMAND_FAILURE(10,802), VDSM host01 command Get Host
Capabilities failed: General SSLEngine problem
I substituted host01 for the real FQDN for this post.
I can't get the hosts in a mode so that I can put it in maintenance mode
and I also want to be carefull about reinstalling because the vms are
stored on local storage domain on host. Fingerprints match on the certs and
when I sign the vdsmcert on the engine and then copy back to the proper
localtions, libvirtd and vdsmd restart fine, just the SSL ERROR.
Anyone have any ideas on how to solve this cert issue?
Thanks
Don