Re: How-to get oVirt host certificated date
It's possible to get, may be from Postgres, the host certificate date? Engine run this check sometimes, but trigger this check seems impossible
Anybody? @Sandro please help engine make check once per day and print to logs How can we run a manual check or see info in PostgreSQL database? This is required because the days until the end of the certificate's life expire, waiting for the next day in order to understand the result of deploying a new certificate is a strange situation Thanks, k
Il giorno gio 13 gen 2022 alle ore 15:34 Konstantin Shalygin <k0ste@k0ste.ru> ha scritto:
It's possible to get, may be from Postgres, the host certificate date? Engine run this check sometimes, but trigger this check seems impossible
Anybody? @Sandro please help
engine make check once per day and print to logs How can we run a manual check or see info in PostgreSQL database? This is required because the days until the end of the certificate's life expire, waiting for the next day in order to understand the result of deploying a new certificate is a strange situation
Maybe @Martin Perina <mperina@redhat.com> can assist?
Thanks, k _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/3WK5CJYL3PXXCJ...
-- Sandro Bonazzola MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV Red Hat EMEA <https://www.redhat.com/> sbonazzo@redhat.com <https://www.redhat.com/> *Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.*
On Thu, Jan 13, 2022 at 4:53 PM Sandro Bonazzola <sbonazzo@redhat.com> wrote:
Il giorno gio 13 gen 2022 alle ore 15:34 Konstantin Shalygin < k0ste@k0ste.ru> ha scritto:
It's possible to get, may be from Postgres, the host certificate date? Engine run this check sometimes, but trigger this check seems impossible
Anybody? @Sandro please help
engine make check once per day and print to logs How can we run a manual check or see info in PostgreSQL database? This is required because the days until the end of the certificate's life expire, waiting for the next day in order to understand the result of deploying a new certificate is a strange situation
Maybe @Martin Perina <mperina@redhat.com> can assist?
Hi,
host certificates are not saved anywhere in the engine database, you need to go to the host itself to find out the expiration date. There are 2 options: 1. Directly on the host after connecting via SSH you can run below # openssl x509 -text -noout -in /etc/pki/vdsm/certs/vdsmcert.pem | grep -A2 Validity 2. Remotely using openssl you can run below # openssl s_client -showcerts -connect <HOST FQDN>:54321 | openssl x509 -text -noout | grep -A2 Validity ovirt-engine performs certificate checks every day (can be configured using engine-config option CertificationValidityCheckTimeInHours) and it checks not only hosts certificates, but also the engine certificate and the engine CA certificate. This check produces following records in ovirt-engine audit log: 1. If the certificate has already expired then below audit log ALERT is created depending on the type of certificate - *Host ${VdsName} certification has expired at ${ExpirationDate}. Please renew the host's certification.* - *Engine's certification has expired at ${ExpirationDate}. Please renew the engine's certification.* - *Engine's CA certification has expired at ${ExpirationDate}.* 2. If the certificate is going to expire in less than 7 days, then below audit log ALERT is created depending on the type of certificate - *Host ${VdsName} certification is about to expire at ${ExpirationDate}. Please renew the host's certification.* - *Engine's certification is about to expire at ${ExpirationDate}. Please renew the engine's certification.* - *Engine's CA certification is about to expire at ${ExpirationDate}.* 3. If the certificate is going to expire in less than 30 days, then below audit log WARNING is created depending on the type of certificate - *Host ${VdsName} certification is about to expire at ${ExpirationDate}. Please renew the host's certification.* - *Engine's certification is about to expire at ${ExpirationDate}. Please renew the engine's certification.* - *Engine's CA certification is about to expire at ${ExpirationDate}.* Regards, Martin
Thanks, k _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/3WK5CJYL3PXXCJ...
--
Sandro Bonazzola
MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV
Red Hat EMEA <https://www.redhat.com/>
sbonazzo@redhat.com <https://www.redhat.com/>
*Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.*
-- Martin Perina Manager, Software Engineering Red Hat Czech s.r.o.
Il giorno ven 14 gen 2022 alle ore 09:45 Martin Perina <mperina@redhat.com> ha scritto:
On Thu, Jan 13, 2022 at 4:53 PM Sandro Bonazzola <sbonazzo@redhat.com> wrote:
Il giorno gio 13 gen 2022 alle ore 15:34 Konstantin Shalygin < k0ste@k0ste.ru> ha scritto:
It's possible to get, may be from Postgres, the host certificate date? Engine run this check sometimes, but trigger this check seems impossible
Anybody? @Sandro please help
engine make check once per day and print to logs How can we run a manual check or see info in PostgreSQL database? This is required because the days until the end of the certificate's life expire, waiting for the next day in order to understand the result of deploying a new certificate is a strange situation
Maybe @Martin Perina <mperina@redhat.com> can assist?
Hi,
host certificates are not saved anywhere in the engine database, you need to go to the host itself to find out the expiration date. There are 2 options:
1. Directly on the host after connecting via SSH you can run below # openssl x509 -text -noout -in /etc/pki/vdsm/certs/vdsmcert.pem | grep -A2 Validity
2. Remotely using openssl you can run below # openssl s_client -showcerts -connect <HOST FQDN>:54321 | openssl x509 -text -noout | grep -A2 Validity
ovirt-engine performs certificate checks every day (can be configured using engine-config option CertificationValidityCheckTimeInHours) and it checks not only hosts certificates, but also the engine certificate and the engine CA certificate. This check produces following records in ovirt-engine audit log:
1. If the certificate has already expired then below audit log ALERT is created depending on the type of certificate - *Host ${VdsName} certification has expired at ${ExpirationDate}. Please renew the host's certification.* - *Engine's certification has expired at ${ExpirationDate}. Please renew the engine's certification.* - *Engine's CA certification has expired at ${ExpirationDate}.*
2. If the certificate is going to expire in less than 7 days, then below audit log ALERT is created depending on the type of certificate - *Host ${VdsName} certification is about to expire at ${ExpirationDate}. Please renew the host's certification.* - *Engine's certification is about to expire at ${ExpirationDate}. Please renew the engine's certification.* - *Engine's CA certification is about to expire at ${ExpirationDate}.*
3. If the certificate is going to expire in less than 30 days, then below audit log WARNING is created depending on the type of certificate - *Host ${VdsName} certification is about to expire at ${ExpirationDate}. Please renew the host's certification.* - *Engine's certification is about to expire at ${ExpirationDate}. Please renew the engine's certification.* - *Engine's CA certification is about to expire at ${ExpirationDate}.*
Regards, Martin
Martin, is this something which can fit in oVirt administration documentation? Konstantin, what's the purpose of getting the certificate's dates?
Thanks, k _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/3WK5CJYL3PXXCJ...
--
Sandro Bonazzola
MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV
Red Hat EMEA <https://www.redhat.com/>
sbonazzo@redhat.com <https://www.redhat.com/>
*Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.*
-- Martin Perina Manager, Software Engineering Red Hat Czech s.r.o.
-- Sandro Bonazzola MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV Red Hat EMEA <https://www.redhat.com/> sbonazzo@redhat.com <https://www.redhat.com/> *Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.*
Sandro, the main is - "admin enroll new cert, but engine spam to log that cert will be expire" Check host cert via Martin snippet, the cert is deployed at Jan 10 2022 [root@control1 ovirt-engine]# openssl s_client -showcerts -connect 192.168.101.16:54321 | openssl x509 -text -noout | grep -A2 Validity Can't use SSL_get_servername depth=1 C = US, O = opentech.local, CN = control1.opentech.local.54279 verify error:num=19:self signed certificate in certificate chain verify return:1 depth=1 C = US, O = opentech.local, CN = control1.opentech.local.54279 verify return:1 depth=0 O = opentech.local, CN = 192.168.101.16 verify return:1 140358921414464:error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required:ssl/record/rec_layer_s3.c:1543:SSL alert number 116 Validity Not Before: Jan 10 16:57:10 2022 GMT Not After : Feb 13 16:57:10 2023 GMT But engine "don't see this changes" at 12 Jan, 13 Jan [root@control1 ovirt-engine]# gunzip -c *\.gz | ack 'certification is about to expire' | grep ovirt-host6 | awk '{print $1 " " $2 " " $10}' 2022-01-11 20:57:33,890+07 ovirt-host6.opentech.local 2022-01-12 20:57:33,925+07 ovirt-host6.opentech.local 2022-01-13 20:57:33,958+07 ovirt-host6.opentech.local Yesterday I was restarted ovirt-engine, now this alerts are gone The certificate enrolling routine should be documented Thanks, k
On 14 Jan 2022, at 11:48, Sandro Bonazzola <sbonazzo@redhat.com> wrote:
Martin, is this something which can fit in oVirt administration documentation? Konstantin, what's the purpose of getting the certificate's dates?
Thanks Martin!!!
On 14 Jan 2022, at 11:45, Martin Perina <mperina@redhat.com> wrote:
Hi,
host certificates are not saved anywhere in the engine database, you need to go to the host itself to find out the expiration date. There are 2 options:
1. Directly on the host after connecting via SSH you can run below # openssl x509 -text -noout -in /etc/pki/vdsm/certs/vdsmcert.pem | grep -A2 Validity
2. Remotely using openssl you can run below # openssl s_client -showcerts -connect <HOST FQDN>:54321 | openssl x509 -text -noout | grep -A2 Validity
ovirt-engine performs certificate checks every day (can be configured using engine-config option CertificationValidityCheckTimeInHours) and it checks not only hosts certificates, but also the engine certificate and the engine CA certificate. This check produces following records in ovirt-engine audit log:
1. If the certificate has already expired then below audit log ALERT is created depending on the type of certificate - Host ${VdsName} certification has expired at ${ExpirationDate}. Please renew the host's certification. - Engine's certification has expired at ${ExpirationDate}. Please renew the engine's certification. - Engine's CA certification has expired at ${ExpirationDate}.
2. If the certificate is going to expire in less than 7 days, then below audit log ALERT is created depending on the type of certificate - Host ${VdsName} certification is about to expire at ${ExpirationDate}. Please renew the host's certification. - Engine's certification is about to expire at ${ExpirationDate}. Please renew the engine's certification. - Engine's CA certification is about to expire at ${ExpirationDate}.
3. If the certificate is going to expire in less than 30 days, then below audit log WARNING is created depending on the type of certificate - Host ${VdsName} certification is about to expire at ${ExpirationDate}. Please renew the host's certification. - Engine's certification is about to expire at ${ExpirationDate}. Please renew the engine's certification. - Engine's CA certification is about to expire at ${ExpirationDate}.
participants (3)
-
Konstantin Shalygin -
Martin Perina -
Sandro Bonazzola