4:34 p.m.
Hi,
On Mon, December 7, 2020 4:02 pm, Derek Atkins wrote:
Hi Michal,
On Mon, December 7, 2020 11:43 am, Michal Skrivanek wrote:
>
[snip]
And for the record, after putting the new certificates into place by
hand,
just restarting a VM was sufficient to get Spice to pull in the new
cert(s). So, technically, it LOOKS like I don't have to reboot the whole
system (although I plan to do that tonight) -- I could just shutdown and
re-run each VM.
> HTH,
> michal
Thank you for all your support and everything you do for this project,
Michal. We very much appreciate it!
For the record, I rebooted the host last night and once everything came
back, the new certs were all in place and everything was happy.... Except
for the fact that my host cert does not have a SAN (SubjectAltName) so the
engine is *still* complaining about it. See my other email about that.
FYI, here are the commands I used to refresh everything (modulo restarting
everything):
set my_date="$(date +"%Y%m%d%H%M%S")"
## On the ENGINE, rebuild the CA Cert:
cp -p /etc/pki/ovirt-engine/private/ca.pem
/etc/pki/ovirt-engine/private/ca.pem.$my_date
cp -p /etc/pki/ovirt-engine/ca.pem{,.$my_date}
openssl x509 -signkey /etc/pki/ovirt-engine/private/ca.pem -in
/etc/pki/ovirt-engine/ca.pem -out /etc/pki/ovirt-engine/ca.pem.new -days
3650 -sha256
openssl x509 -in /etc/pki/ovirt-engine/ca.pem.new -text >
/etc/pki/ovirt-engine/ca.pem.new.full
mv /etc/pki/ovirt-engine/ca.pem.new.full /etc/pki/ovirt-engine/ca.pem
mv /etc/pki/ovirt-engine/certs/ca.der{,.$my_date}
cp -p /etc/pki/ovirt-engine/ca.pem.new /etc/pki/ovirt-engine/certs/ca.der
# On ovirt host, create a CSR:
# openssl x509 -x509toreq -in /etc/pki/libvirt/clientcert.pem -out
/tmp/HOST.csr -signkey /etc/pki/libvirt/private/clientkey.pem
mv /etc/pki/ovirt-engine/certs/host.na.me.cer{,.$my_date}
mv /etc/pki/ovirt-engine/requests/host.na.me.req{,.$my_date}
# copy new CSR into place on the engine:
# /etc/pki/ovirt-engine/requests/host.na.me.req
# and sign it:
/usr/share/ovirt-engine/bin/pki-enroll-request.sh --name=host.na.me
# NB -- adding --san results in an error: --san=host.na.me
# copy new Host cert from /etc/pki/ovirt-engine/certs/host.na.me.cer
# to host:new_cert
# and copy CA cert to host:cacert.pem
# ON OVIRT Host:
mv /etc/pki/libvirt/clientcert.pem{,.$my_date}
mv /etc/pki/vdsm/certs/vdsmcert.pem{,.$my_date}
mv /etc/pki/vdsm/libvirt-spice/server-cert.pem{,.$my_date}
cp -p new_cert /etc/pki/libvirt/clientcert.pem
cp -p new_cert /etc/pki/vdsm/certs/vdsmcert.pem
cp -p new_cert /etc/pki/vdsm/libvirt-spice/server-cert.pem
chown root:kvm /etc/pki/libvirt/clientcert.pem
/etc/pki/vdsm/certs/vdsmcert.pem
/etc/pki/vdsm/libvirt-spice/server-cert.pem
#
# Copy new CA cert into place on Host:
mv /etc/pki/CA/cacert.pem{,$my_date}
cp -p cacert.pem /etc/pki/CA/cacert.pem
chgrp kvm /etc/pki/CA/cacert.pem
mv /etc/pki/vdsm/certs/cacert.pem{,.$my_date}
mv /etc/pki/vdsm/libvirt-spice/ca-cert.pem{,.$my_date}
mv /etc/pki/ovirt-engine/ca.pem{,.$my_date}
cp -p /etc/pki/CA/cacert.pem /etc/pki/vdsm/certs/cacert.pem
cp -p /etc/pki/CA/cacert.pem /etc/pki/vdsm/libvirt-spice/ca-cert.pem
cp -p /etc/pki/CA/cacert.pem /etc/pki/ovirt-engine/ca.pem
At this point I shut down all VMs, rebooted the host, and restarted all
the VMs and everything came back happy (except for the lack of the
SubjectAltName).
Also note that you will need to remove the trusted cert from your
browser(s) and re-add the new CA cert -- otherwise you will get a browser
error complaining about the change in certificate from the same Issuer and
with the same Serial#.
-derek
--
Derek Atkins 617-623-3745
derek(a)ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant