On Thu, Nov 4, 2021 at 6:51 PM Kapetanakis Giannis <
On 27/04/2021 17:12, capelle(a)labri.fr wrote:
> Since a few weeks, we are not able to connect to the vmconsole proxy:
> $ ssh -t -p 2222 ovirt-vmconsole@ovirt
> ovirt-vmconsole@ovirt: Permission denied (publickey).
This is a hackish way to generate a new certificate outside of
1. Backup oVirt and especially /etc on engine
2. Generate a new request for the vmconsole-proxy-helper
openssl req -new -out vmconsole.req -subj /CN=MY_OVIRT_FQDN -key
3. Use the oVirt CA to sign this request to produce a new cert:
cat > extfile.conf <<EOT# lets try to mimic the extensions that oVirt CA
basicConstraints = CA:false
keyUsage = digitalSignature
extendedKeyUsage = DER:300E060C2B0601040192080D01020101
Sign the request
openssl x509 -req -CA /etc/pki/ovirt-engine/certs/ca.der -inform DER
-CAkey /etc/pki/ovirt-engine/private/ca.pem -set_serial MY_SERIAL_NO \
-extfile extfile.conf -in vmconsole.req
Then you can use this cert to override
Needless to say, this is extremely hackish - and I would like to know the
proper way to work this.
BTW my vmconsole SSH keys/certs also were a) expired b) wrong type ssh-rsa
so I needed to jump
through similar hoops to get proxy -> host working again.