Re: oVirt 4.4.x step-by-step procedure to renew expired oVirt certificates
Hello, If you refer to: 1. engine apache certificate expiration ("PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:) to access to ovirt console. => engine-setup --offline 2. hosts certificate expiration? => https://access.redhat.com/solutions/3532921 I also wrote a playbook to do so there: https://galaxy.ansible.com/natman/ovirt_renew_certs In this case, don't forget to renew certificate with UI (into maintenance) when host is reponding, otherwise you may enconter issues with console or live migration or other SSL related stuff. tested and approved. Le 16/06/2022 à 12:34, Marko Vrgotic a écrit :
Dear oVirt,
The oVirt SSL certificated were changed to one-year renewal and we have a problem now.
We are running 4.4.x version with SHE on local storage cluster and we have four more local storage clusters.
One the cluster running SHE, the engine and host certificates have expired. We found the procedure for renewal prior to expiration, but we do not have a mnual one, required once certificates have expired.
Would you be so kind to share the manual or steps needed to fix our oVirt setup.
Thank you in advance.
-----
kind regards/met vriendelijke groeten
Marko Vrgotic Sr. System Engineer @ System Administration
ActiveVideo
*o: *+31 (35) 6774131
*m: +*31 (65) 5734174**
*e:*m.vrgotic@activevideo.com <mailto:m.vrgotic@activevideo.com> *w: *www.activevideo.com <http://www.activevideo.com>
ActiveVideo Networks BV. Mediacentrum 3745 Joop van den Endeplein 1.1217 WJ Hilversum, The Netherlands. The information contained in this message may be legally privileged and confidential. It is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and/or ActiveVideo Networks, LLC by telephone at +1 408.931.9200 and delete or destroy any copy of this message.
_______________________________________________ Users mailing list --users@ovirt.org To unsubscribe send an email tousers-leave@ovirt.org Privacy Statement:https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct:https://www.ovirt.org/community/about/community-guidelines/ List Archives:https://lists.ovirt.org/archives/list/users@ovirt.org/message/5LOTLSGBZQAZQD...
-- Nathanaël Blanchet Supervision réseau SIRE 227 avenue Professeur-Jean-Louis-Viala 34193 MONTPELLIER CEDEX 5 Tél. 33 (0)4 67 54 84 55 Fax 33 (0)4 67 54 84 14 blanchet@abes.fr
Nathanaël Do you have a procedure that works on Ovirt 4.2.x as the engine-setup --offline doesn't seem to work for me as Admin Portal has a failure of "unable to find valid certification path" message. I have posted about this twice this week with no response from anyone. My engine and 32 hypervisors have expired certificates. Thanks Don On Thu, Jun 16, 2022 at 7:51 AM Nathanaël Blanchet <blanchet@abes.fr> wrote:
Hello,
If you refer to:
1. engine apache certificate expiration ("PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:) to access to ovirt console. => engine-setup --offline 2. hosts certificate expiration? => https://access.redhat.com/solutions/3532921 I also wrote a playbook to do so there: https://galaxy.ansible.com/natman/ovirt_renew_certs In this case, don't forget to renew certificate with UI (into maintenance) when host is reponding, otherwise you may enconter issues with console or live migration or other SSL related stuff.
tested and approved. Le 16/06/2022 à 12:34, Marko Vrgotic a écrit :
Dear oVirt,
The oVirt SSL certificated were changed to one-year renewal and we have a problem now.
We are running 4.4.x version with SHE on local storage cluster and we have four more local storage clusters.
One the cluster running SHE, the engine and host certificates have expired. We found the procedure for renewal prior to expiration, but we do not have a mnual one, required once certificates have expired.
Would you be so kind to share the manual or steps needed to fix our oVirt setup.
Thank you in advance.
-----
kind regards/met vriendelijke groeten
Marko Vrgotic Sr. System Engineer @ System Administration
ActiveVideo
*o: *+31 (35) 6774131
*m: +*31 (65) 5734174
*e:* m.vrgotic@activevideo.com *w: *www.activevideo.com
ActiveVideo Networks BV. Mediacentrum 3745 Joop van den Endeplein 1.1217 WJ Hilversum, The Netherlands. The information contained in this message may be legally privileged and confidential. It is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and/or ActiveVideo Networks, LLC by telephone at +1 408.931.9200 and delete or destroy any copy of this message.
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5LOTLSGBZQAZQD...
-- Nathanaël Blanchet
Supervision réseau SIRE 227 avenue Professeur-Jean-Louis-Viala 34193 MONTPELLIER CEDEX 5 Tél. 33 (0)4 67 54 84 55 Fax 33 (0)4 67 54 84 14blanchet@abes.fr
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/3S3XZX6RVXJCU5...
Hello Don, I'm sorry not to be able to help you... I was just happy that a simple 4.4 procedure was available when I needed it last month... There is no more support from community since a long time on 4.2 branch, that's why the best upgrade strategy is to regulary upgrade on upstream product. Neitherless, I'm sure the embbeded procedure to renew engine certs into "engine-setup --offline" should be nearly the same as the one to renew a 4.2 engine. May a RedHat guy help you on the way to follow... Good luck. Le 16/06/2022 à 15:25, Don Dupuis a écrit :
Nathanaël Do you have a procedure that works on Ovirt 4.2.x as the engine-setup --offline doesn't seem to work for me as Admin Portal has a failure of "unable to find valid certification path" message. I have posted about this twice this week with no response from anyone. My engine and 32 hypervisors have expired certificates.
Thanks Don
On Thu, Jun 16, 2022 at 7:51 AM Nathanaël Blanchet <blanchet@abes.fr> wrote:
Hello,
If you refer to:
1. engine apache certificate expiration ("PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:) to access to ovirt console. => engine-setup --offline 2. hosts certificate expiration? => https://access.redhat.com/solutions/3532921 I also wrote a playbook to do so there: https://galaxy.ansible.com/natman/ovirt_renew_certs In this case, don't forget to renew certificate with UI (into maintenance) when host is reponding, otherwise you may enconter issues with console or live migration or other SSL related stuff.
tested and approved.
Le 16/06/2022 à 12:34, Marko Vrgotic a écrit :
Dear oVirt,
The oVirt SSL certificated were changed to one-year renewal and we have a problem now.
We are running 4.4.x version with SHE on local storage cluster and we have four more local storage clusters.
One the cluster running SHE, the engine and host certificates have expired. We found the procedure for renewal prior to expiration, but we do not have a mnual one, required once certificates have expired.
Would you be so kind to share the manual or steps needed to fix our oVirt setup.
Thank you in advance.
-----
kind regards/met vriendelijke groeten
Marko Vrgotic Sr. System Engineer @ System Administration
ActiveVideo
*o: *+31 (35) 6774131
*m: +*31 (65) 5734174**
*e:*m.vrgotic@activevideo.com <mailto:m.vrgotic@activevideo.com> *w: *www.activevideo.com <http://www.activevideo.com>
ActiveVideo Networks BV. Mediacentrum 3745 Joop van den Endeplein 1.1217 WJ Hilversum, The Netherlands. The information contained in this message may be legally privileged and confidential. It is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and/or ActiveVideo Networks, LLC by telephone at +1 408.931.9200 and delete or destroy any copy of this message.
_______________________________________________ Users mailing list --users@ovirt.org To unsubscribe send an email tousers-leave@ovirt.org Privacy Statement:https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct:https://www.ovirt.org/community/about/community-guidelines/ List Archives:https://lists.ovirt.org/archives/list/users@ovirt.org/message/5LOTLSGBZQAZQD...
-- Nathanaël Blanchet
Supervision réseau SIRE 227 avenue Professeur-Jean-Louis-Viala 34193 MONTPELLIER CEDEX 5 Tél. 33 (0)4 67 54 84 55 Fax 33 (0)4 67 54 84 14 blanchet@abes.fr
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/3S3XZX6RVXJCU5...
-- Nathanaël Blanchet Supervision réseau SIRE 227 avenue Professeur-Jean-Louis-Viala 34193 MONTPELLIER CEDEX 5 Tél. 33 (0)4 67 54 84 55 Fax 33 (0)4 67 54 84 14 blanchet@abes.fr
I have solved my issue, I had to manually add the updated ca.pem and certs/engine.cer to /etc/pki/java/cacerts using keytool. Now I will work on getting the new certs to the hypervisors and then follow the enroll certificate process. Thanks Don On Thu, Jun 16, 2022 at 9:27 AM Nathanaël Blanchet <blanchet@abes.fr> wrote:
Hello Don,
I'm sorry not to be able to help you... I was just happy that a simple 4.4 procedure was available when I needed it last month...
There is no more support from community since a long time on 4.2 branch, that's why the best upgrade strategy is to regulary upgrade on upstream product.
Neitherless, I'm sure the embbeded procedure to renew engine certs into "engine-setup --offline" should be nearly the same as the one to renew a 4.2 engine.
May a RedHat guy help you on the way to follow...
Good luck. Le 16/06/2022 à 15:25, Don Dupuis a écrit :
Nathanaël Do you have a procedure that works on Ovirt 4.2.x as the engine-setup --offline doesn't seem to work for me as Admin Portal has a failure of "unable to find valid certification path" message. I have posted about this twice this week with no response from anyone. My engine and 32 hypervisors have expired certificates.
Thanks Don
On Thu, Jun 16, 2022 at 7:51 AM Nathanaël Blanchet <blanchet@abes.fr> wrote:
Hello,
If you refer to:
1. engine apache certificate expiration ("PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:) to access to ovirt console. => engine-setup --offline 2. hosts certificate expiration? => https://access.redhat.com/solutions/3532921 I also wrote a playbook to do so there: https://galaxy.ansible.com/natman/ovirt_renew_certs In this case, don't forget to renew certificate with UI (into maintenance) when host is reponding, otherwise you may enconter issues with console or live migration or other SSL related stuff.
tested and approved. Le 16/06/2022 à 12:34, Marko Vrgotic a écrit :
Dear oVirt,
The oVirt SSL certificated were changed to one-year renewal and we have a problem now.
We are running 4.4.x version with SHE on local storage cluster and we have four more local storage clusters.
One the cluster running SHE, the engine and host certificates have expired. We found the procedure for renewal prior to expiration, but we do not have a mnual one, required once certificates have expired.
Would you be so kind to share the manual or steps needed to fix our oVirt setup.
Thank you in advance.
-----
kind regards/met vriendelijke groeten
Marko Vrgotic Sr. System Engineer @ System Administration
ActiveVideo
*o: *+31 (35) 6774131
*m: +*31 (65) 5734174
*e:* m.vrgotic@activevideo.com *w: *www.activevideo.com
ActiveVideo Networks BV. Mediacentrum 3745 Joop van den Endeplein 1.1217 WJ Hilversum, The Netherlands. The information contained in this message may be legally privileged and confidential. It is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and/or ActiveVideo Networks, LLC by telephone at +1 408.931.9200 and delete or destroy any copy of this message.
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5LOTLSGBZQAZQD...
-- Nathanaël Blanchet
Supervision réseau SIRE 227 avenue Professeur-Jean-Louis-Viala 34193 MONTPELLIER CEDEX 5 Tél. 33 (0)4 67 54 84 55 Fax 33 (0)4 67 54 84 14blanchet@abes.fr
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/3S3XZX6RVXJCU5...
-- Nathanaël Blanchet
Supervision réseau SIRE 227 avenue Professeur-Jean-Louis-Viala 34193 MONTPELLIER CEDEX 5 Tél. 33 (0)4 67 54 84 55 Fax 33 (0)4 67 54 84 14blanchet@abes.fr
Dear Nathanael, Thank you very much for you reply. Regarding host expiration playbook you wrote – my compliments – is it safe to run on host with expired certificates, or its rather meant to be executed for renewal of certs on hosts with still valid certs? We have also found following script which should at least safely take care of the renewal of certs on host with already expired certificates - . https://github.com/tothf/renew_vdsm_cert/blob/main/renew_vdsm_cert.sh ----- kind regards/met vriendelijke groeten Marko Vrgotic Sr. System Engineer @ System Administration ActiveVideo o: +31 (35) 6774131 m: +31 (65) 5734174 e: m.vrgotic@activevideo.com<mailto:m.vrgotic@activevideo.com> w: www.activevideo.com<http://www.activevideo.com> ActiveVideo Networks BV. Mediacentrum 3745 Joop van den Endeplein 1.1217 WJ Hilversum, The Netherlands. The information contained in this message may be legally privileged and confidential. It is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and/or ActiveVideo Networks, LLC by telephone at +1 408.931.9200 and delete or destroy any copy of this message. From: Nathanaël Blanchet <blanchet@abes.fr> Date: Thursday, 16 June 2022 at 14:40 To: Marko Vrgotic <M.Vrgotic@activevideo.com>, users@ovirt.org <users@ovirt.org> Subject: Re: [ovirt-users] oVirt 4.4.x step-by-step procedure to renew expired oVirt certificates ***CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender!!!*** Hello, If you refer to: 1. engine apache certificate expiration ("PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:) to access to ovirt console. => engine-setup --offline 2. hosts certificate expiration? => https://access.redhat.com/solutions/3532921<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsolutions%2F3532921&data=05%7C01%7CM.Vrgotic%40activevideo.com%7C0c044a712ec345bfc0e208da4f956ba5%7C214268a3e1214486acd4545c9faf2252%7C0%7C0%7C637909800447577334%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vJdKkKWmUlUadBJdKZyi1s3xG%2FiadJXzCdubUI7Tci0%3D&reserved=0> I also wrote a playbook to do so there: https://galaxy.ansible.com/natman/ovirt_renew_certs<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgalaxy.ansible.com%2Fnatman%2Fovirt_renew_certs&data=05%7C01%7CM.Vrgotic%40activevideo.com%7C0c044a712ec345bfc0e208da4f956ba5%7C214268a3e1214486acd4545c9faf2252%7C0%7C0%7C637909800447577334%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=TdI9MylDTwBjTPTGDikLjgmn5qm21PeTVU5oA6FzcFc%3D&reserved=0> In this case, don't forget to renew certificate with UI (into maintenance) when host is reponding, otherwise you may enconter issues with console or live migration or other SSL related stuff. tested and approved. Le 16/06/2022 à 12:34, Marko Vrgotic a écrit : Dear oVirt, The oVirt SSL certificated were changed to one-year renewal and we have a problem now. We are running 4.4.x version with SHE on local storage cluster and we have four more local storage clusters. One the cluster running SHE, the engine and host certificates have expired. We found the procedure for renewal prior to expiration, but we do not have a mnual one, required once certificates have expired. Would you be so kind to share the manual or steps needed to fix our oVirt setup. Thank you in advance. ----- kind regards/met vriendelijke groeten Marko Vrgotic Sr. System Engineer @ System Administration ActiveVideo o: +31 (35) 6774131 m: +31 (65) 5734174 e: m.vrgotic@activevideo.com<mailto:m.vrgotic@activevideo.com> w: www.activevideo.com<http://www.activevideo.com> ActiveVideo Networks BV. Mediacentrum 3745 Joop van den Endeplein 1.1217 WJ Hilversum, The Netherlands. The information contained in this message may be legally privileged and confidential. It is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and/or ActiveVideo Networks, LLC by telephone at +1 408.931.9200 and delete or destroy any copy of this message. _______________________________________________ Users mailing list -- users@ovirt.org<mailto:users@ovirt.org> To unsubscribe send an email to users-leave@ovirt.org<mailto:users-leave@ovirt.org> Privacy Statement: https://www.ovirt.org/privacy-policy.html<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.html&data=05%7C01%7CM.Vrgotic%40activevideo.com%7C0c044a712ec345bfc0e208da4f956ba5%7C214268a3e1214486acd4545c9faf2252%7C0%7C0%7C637909800447577334%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8poVfx7c4bx56qhTA6uS97liTukzBAExm%2BzZLVlCfaY%3D&reserved=0> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2F&data=05%7C01%7CM.Vrgotic%40activevideo.com%7C0c044a712ec345bfc0e208da4f956ba5%7C214268a3e1214486acd4545c9faf2252%7C0%7C0%7C637909800447577334%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=IKvaq2yh5RQiMoOphM0DbUL62DVzW8y6c5sdaYZ5OUc%3D&reserved=0> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5LOTLSGBZQAZQD7L76ZMGFALTHODKYKO/<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2F5LOTLSGBZQAZQD7L76ZMGFALTHODKYKO%2F&data=05%7C01%7CM.Vrgotic%40activevideo.com%7C0c044a712ec345bfc0e208da4f956ba5%7C214268a3e1214486acd4545c9faf2252%7C0%7C0%7C637909800447577334%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=rYEmpj0TRfVwkp5%2B5FMs6%2BuUUYyEs9lY5erqWr5z4xw%3D&reserved=0> -- Nathanaël Blanchet Supervision réseau SIRE 227 avenue Professeur-Jean-Louis-Viala 34193 MONTPELLIER CEDEX 5 Tél. 33 (0)4 67 54 84 55 Fax 33 (0)4 67 54 84 14 blanchet@abes.fr<mailto:blanchet@abes.fr>
participants (3)
-
Don Dupuis -
Marko Vrgotic -
Nathanaël Blanchet