[ovirt-users] Re: Error virNetTLSContextLoadCertFromFile after upgrade from oVirt 4.2 to 4.3.4

On Tue, Jun 25, 2019 at 8:37 PM Stefano Danzi <s.danzi(a)hawai.it&gt; wrote: > Il 25/06/2019 14:26, Stefano Danzi ha scritto: >>>> I don't remember to ever seen a question about this during >>>> engine-setup, >>>> but it could be. >>>> In /etc/pki/vdsm/certs/ I can see an old cert and ca with subjet: >>>> >>>> [root@ovirt01 ~]# su - vdsm -s /bin/bash -c 'openssl x509 -in >>>> /etc/pki/vdsm/certs/cacert.pem.20150205093608 -text' >>>> Certificate: >>>> Data: >>>> Version: 3 (0x2) >>>> Serial Number: 1423056193 (0x54d21d41) >>>> Signature Algorithm: sha256WithRSAEncryption >>>> Issuer: CN=VDSM Certificate Authority >>>> Validity >>>> Not Before: Feb 4 13:23:13 2015 GMT >>>> Not After : Feb 4 13:23:13 2016 GMT >>>> Subject: CN=VDSM Certificate Authority >>>> Subject Public Key Info: >>>> >>>> [CUT] >>>> >>>> [root@ovirt01 ~]# su - vdsm -s /bin/bash -c 'openssl x509 -in >>>> /etc/pki/vdsm/certs/vdsmcert.pem.20150205093609 -text' >>>> Certificate: >>>> Data: >>>> Version: 3 (0x2) >>>> Serial Number: 1423056193 (0x54d21d41) >>>> Signature Algorithm: sha256WithRSAEncryption >>>> Issuer: CN=VDSM Certificate Authority >>>> Validity >>>> Not Before: Feb 4 13:23:13 2015 GMT >>>> Not After : Feb 4 13:23:13 2016 GMT >>>> Subject: CN=ovirt01.hawai.lan, O=VDSM Certificate >>>> Subject Public Key Info: >>>> Public Key Algorithm: rsaEncryption >>>> >>>> >>>> I think that was certs made during first hosted engine installation. >>>> Could it work if I manually create certs like this? >>>> Just to start libvirtd, vdsm and hosted-engine. >>> I think it's worth a try. Just create a self-signed CA, a keypair >>> signed by it, and place them correctly, should work. >>> >>> The engine won't be able to talk with the host, but you can then more >>> easily reinstall/re-enroll-certs. >>> >>> Good luck, >> This workaround works! >> I have hosted engine running! >> >> So I have to find how reinstall/re-enroll-certs on host. From engine >> UI host status is "NonResponsive" and I can't do nothing.... >> _______________________________________________ > Status: > > now Host status is "Unassiged". Engine can't reach host for "General > SSLEngine problem" and It's ok because certs are "home made". > I can't switch host to maintenance because it's not operational. > I can't enroll certificate because is not in maintenance status. You can try to remove it. I think we do not support "force-remove" despite being asked about this occasionally, because generally-speaking, this is very unsafe. If you insist, you can try using the sql function DeleteVds to delete it from the database. > hou I can enroll host cert manually? You can try following what I wrote in "2. Try to manually fix" before. Create a CSR on the host (with whatever private key you want), copy it to engine, pki-enroll-request, copy the cert to host. Good luck and best regards,