[ovirt-users] Re: Error virNetTLSContextLoadCertFromFile after upgrade from oVirt 4.2 to 4.3.4
Il 25/06/2019 14:26, Stefano Danzi ha scritto:
>> I don't remember to ever seen a question about this during
>> engine-setup,
>> but it could be.
>> In /etc/pki/vdsm/certs/ I can see an old cert and ca with subjet:
>>
>> [root@ovirt01 ~]# su - vdsm -s /bin/bash -c 'openssl x509 -in
>> /etc/pki/vdsm/certs/cacert.pem.20150205093608 -text'
>> Certificate:
>> Data:
>> Version: 3 (0x2)
>> Serial Number: 1423056193 (0x54d21d41)
>> Signature Algorithm: sha256WithRSAEncryption
>> Issuer: CN=VDSM Certificate Authority
>> Validity
>> Not Before: Feb 4 13:23:13 2015 GMT
>> Not After : Feb 4 13:23:13 2016 GMT
>> Subject: CN=VDSM Certificate Authority
>> Subject Public Key Info:
>>
>> [CUT]
>>
>> [root@ovirt01 ~]# su - vdsm -s /bin/bash -c 'openssl x509 -in
>> /etc/pki/vdsm/certs/vdsmcert.pem.20150205093609 -text'
>> Certificate:
>> Data:
>> Version: 3 (0x2)
>> Serial Number: 1423056193 (0x54d21d41)
>> Signature Algorithm: sha256WithRSAEncryption
>> Issuer: CN=VDSM Certificate Authority
>> Validity
>> Not Before: Feb 4 13:23:13 2015 GMT
>> Not After : Feb 4 13:23:13 2016 GMT
>> Subject: CN=ovirt01.hawai.lan, O=VDSM Certificate
>> Subject Public Key Info:
>> Public Key Algorithm: rsaEncryption
>>
>>
>> I think that was certs made during first hosted engine installation.
>> Could it work if I manually create certs like this?
>> Just to start libvirtd, vdsm and hosted-engine.
> I think it's worth a try. Just create a self-signed CA, a keypair
> signed by it, and place them correctly, should work.
>
> The engine won't be able to talk with the host, but you can then more
> easily reinstall/re-enroll-certs.
>
> Good luck,
This workaround works!
I have hosted engine running!
So I have to find how reinstall/re-enroll-certs on host. From engine
UI host status is "NonResponsive" and I can't do nothing....
_______________________________________________
Status:
now Host status is "Unassiged". Engine can't reach host for "General
SSLEngine problem" and It's ok because certs are "home made".
I can't switch host to maintenance because it's not operational.
I can't enroll certificate because is not in maintenance status.
hou I can enroll host cert manually?