5:31 p.m.
It's possible to get, may be from Postgres, the host certificate
date?
Engine run this check sometimes, but trigger this check seems impossible
Anybody?
@Sandro please help
engine make check once per day and print to logs
How can we run a manual check or see info in PostgreSQL database? This is required because
the days until the end of the certificate's life expire, waiting for the next day in
order to understand the result of deploying a new certificate is a strange situation
Thanks,
k
6:52 p.m.
New subject: How-to get oVirt host certificated date
Il giorno gio 13 gen 2022 alle ore 15:34 Konstantin Shalygin <k0ste(a)k0ste.ru>
ha scritto:
> It's possible to get, may be from Postgres, the host
certificate date?
> Engine run this check sometimes, but trigger this check seems impossible
Anybody?
@Sandro please help
engine make check once per day and print to logs
How can we run a manual check or see info in PostgreSQL database? This is
required because the days until the end of the certificate's life expire,
waiting for the next day in order to understand the result of deploying a
new certificate is a strange situation
Maybe @Martin Perina <mperina(a)redhat.com> can assist?
Thanks,
k
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3WK5CJYL3PX...
--
Sandro Bonazzola
MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV
Red Hat EMEA <https://www.redhat.com/>
sbonazzo(a)redhat.com
<https://www.redhat.com/>
*Red Hat respects your work life balance. Therefore there is no need to
answer this email out of your office hours.*
11:45 a.m.
New subject: How-to get oVirt host certificated date
On Thu, Jan 13, 2022 at 4:53 PM Sandro Bonazzola <sbonazzo(a)redhat.com>
wrote:
Il giorno gio 13 gen 2022 alle ore 15:34 Konstantin Shalygin <
k0ste(a)k0ste.ru> ha scritto:
> > It's possible to get, may be from Postgres, the host certificate date?
> > Engine run this check sometimes, but trigger this check seems impossible
>
> Anybody?
> @Sandro please help
>
> engine make check once per day and print to logs
> How can we run a manual check or see info in PostgreSQL database? This is
> required because the days until the end of the certificate's life expire,
> waiting for the next day in order to understand the result of deploying a
> new certificate is a strange situation
>
Maybe @Martin Perina <mperina(a)redhat.com> can assist?
Hi,
host certificates are not saved anywhere in the engine database, you need
to go to the host itself to find out the expiration date. There are 2
options:
1. Directly on the host after connecting via SSH you can run below
# openssl x509 -text -noout -in /etc/pki/vdsm/certs/vdsmcert.pem | grep
-A2 Validity
2. Remotely using openssl you can run below
# openssl s_client -showcerts -connect <HOST FQDN>:54321 | openssl x509
-text -noout | grep -A2 Validity
ovirt-engine performs certificate checks every day (can be configured using
engine-config option CertificationValidityCheckTimeInHours) and it checks
not only hosts certificates, but also the engine certificate and the engine
CA certificate. This check produces following records in ovirt-engine audit
log:
1. If the certificate has already expired then below audit log ALERT is
created depending on the type of certificate
- *Host ${VdsName} certification has expired at ${ExpirationDate}.
Please renew the host's certification.*
- *Engine's certification has expired at ${ExpirationDate}. Please
renew the engine's certification.*
- *Engine's CA certification has expired at ${ExpirationDate}.*
2. If the certificate is going to expire in less than 7 days, then below
audit log ALERT is created depending on the type of certificate
- *Host ${VdsName} certification is about to expire at
${ExpirationDate}. Please renew the host's certification.*
- *Engine's certification is about to expire at ${ExpirationDate}.
Please renew the engine's certification.*
- *Engine's CA certification is about to expire at ${ExpirationDate}.*
3. If the certificate is going to expire in less than 30 days, then below
audit log WARNING is created depending on the type of certificate
- *Host ${VdsName} certification is about to expire at
${ExpirationDate}. Please renew the host's certification.*
- *Engine's certification is about to expire at ${ExpirationDate}.
Please renew the engine's certification.*
- *Engine's CA certification is about to expire at ${ExpirationDate}.*
Regards,
Martin
>
>
> Thanks,
> k
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3WK5CJYL3PX...
>
--
Sandro Bonazzola
MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV
Red Hat EMEA <https://www.redhat.com/>
sbonazzo(a)redhat.com
<https://www.redhat.com/>
*Red Hat respects your work life balance. Therefore there is no need to
answer this email out of your office hours.*
--
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
11:48 a.m.
New subject: How-to get oVirt host certificated date
Il giorno ven 14 gen 2022 alle ore 09:45 Martin Perina <mperina(a)redhat.com>
ha scritto:
On Thu, Jan 13, 2022 at 4:53 PM Sandro Bonazzola <sbonazzo(a)redhat.com>
wrote:
>
>
> Il giorno gio 13 gen 2022 alle ore 15:34 Konstantin Shalygin <
> k0ste(a)k0ste.ru> ha scritto:
>
>> > It's possible to get, may be from Postgres, the host certificate date?
>> > Engine run this check sometimes, but trigger this check seems
>> impossible
>>
>> Anybody?
>> @Sandro please help
>>
>> engine make check once per day and print to logs
>> How can we run a manual check or see info in PostgreSQL database? This
>> is required because the days until the end of the certificate's life
>> expire, waiting for the next day in order to understand the result of
>> deploying a new certificate is a strange situation
>>
>
> Maybe @Martin Perina <mperina(a)redhat.com> can assist?
>
> Hi,
host certificates are not saved anywhere in the engine database, you need
to go to the host itself to find out the expiration date. There are 2
options:
1. Directly on the host after connecting via SSH you can run below
# openssl x509 -text -noout -in /etc/pki/vdsm/certs/vdsmcert.pem |
grep -A2 Validity
2. Remotely using openssl you can run below
# openssl s_client -showcerts -connect <HOST FQDN>:54321 | openssl
x509 -text -noout | grep -A2 Validity
ovirt-engine performs certificate checks every day (can be configured
using engine-config option CertificationValidityCheckTimeInHours) and it
checks not only hosts certificates, but also the engine certificate and the
engine CA certificate. This check produces following records in
ovirt-engine audit log:
1. If the certificate has already expired then below audit log ALERT is
created depending on the type of certificate
- *Host ${VdsName} certification has expired at ${ExpirationDate}.
Please renew the host's certification.*
- *Engine's certification has expired at ${ExpirationDate}. Please
renew the engine's certification.*
- *Engine's CA certification has expired at ${ExpirationDate}.*
2. If the certificate is going to expire in less than 7 days, then below
audit log ALERT is created depending on the type of certificate
- *Host ${VdsName} certification is about to expire at
${ExpirationDate}. Please renew the host's certification.*
- *Engine's certification is about to expire at ${ExpirationDate}.
Please renew the engine's certification.*
- *Engine's CA certification is about to expire at ${ExpirationDate}.*
3. If the certificate is going to expire in less than 30 days, then below
audit log WARNING is created depending on the type of certificate
- *Host ${VdsName} certification is about to expire at
${ExpirationDate}. Please renew the host's certification.*
- *Engine's certification is about to expire at ${ExpirationDate}.
Please renew the engine's certification.*
- *Engine's CA certification is about to expire at ${ExpirationDate}.*
Regards,
Martin
Martin, is this something which can fit in oVirt administration
documentation?
Konstantin, what's the purpose of getting the certificate's dates?
>
>>
>>
>> Thanks,
>> k
>> _______________________________________________
>> Users mailing list -- users(a)ovirt.org
>> To unsubscribe send an email to users-leave(a)ovirt.org
>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>> oVirt Code of Conduct:
>> https://www.ovirt.org/community/about/community-guidelines/
>> List Archives:
>>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3WK5CJYL3PX...
>>
>
>
> --
>
> Sandro Bonazzola
>
> MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV
>
> Red Hat EMEA <https://www.redhat.com/>
>
> sbonazzo(a)redhat.com
> <https://www.redhat.com/>
>
> *Red Hat respects your work life balance. Therefore there is no need to
> answer this email out of your office hours.*
>
>
>
--
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
--
Sandro Bonazzola
MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV
Red Hat EMEA <https://www.redhat.com/>
sbonazzo(a)redhat.com
<https://www.redhat.com/>
*Red Hat respects your work life balance. Therefore there is no need to
answer this email out of your office hours.*
2:22 p.m.
New subject: How-to get oVirt host certificated date
Sandro, the main is - "admin enroll new cert, but engine spam to log that cert will
be expire"
Check host cert via Martin snippet, the cert is deployed at Jan 10 2022
[root@control1 ovirt-engine]# openssl s_client -showcerts -connect 192.168.101.16:54321 |
openssl x509 -text -noout | grep -A2 Validity
Can't use SSL_get_servername
depth=1 C = US, O = opentech.local, CN = control1.opentech.local.54279
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 C = US, O = opentech.local, CN = control1.opentech.local.54279
verify return:1
depth=0 O = opentech.local, CN = 192.168.101.16
verify return:1
140358921414464:error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate
required:ssl/record/rec_layer_s3.c:1543:SSL alert number 116
Validity
Not Before: Jan 10 16:57:10 2022 GMT
Not After : Feb 13 16:57:10 2023 GMT
But engine "don't see this changes" at 12 Jan, 13 Jan
[root@control1 ovirt-engine]# gunzip -c *\.gz | ack 'certification is about to
expire' | grep ovirt-host6 | awk '{print $1 " " $2 " "
$10}'
2022-01-11 20:57:33,890+07 ovirt-host6.opentech.local
2022-01-12 20:57:33,925+07 ovirt-host6.opentech.local
2022-01-13 20:57:33,958+07 ovirt-host6.opentech.local
Yesterday I was restarted ovirt-engine, now this alerts are gone
The certificate enrolling routine should be documented
Thanks,
k
On 14 Jan 2022, at 11:48, Sandro Bonazzola
<sbonazzo(a)redhat.com> wrote:
Martin, is this something which can fit in oVirt administration documentation?
Konstantin, what's the purpose of getting the certificate's dates?
2:17 p.m.
New subject: How-to get oVirt host certificated date
Thanks Martin!!!
On 14 Jan 2022, at 11:45, Martin Perina <mperina(a)redhat.com>
wrote:
Hi,
host certificates are not saved anywhere in the engine database, you need to go to the
host itself to find out the expiration date. There are 2 options:
1. Directly on the host after connecting via SSH you can run below
# openssl x509 -text -noout -in /etc/pki/vdsm/certs/vdsmcert.pem | grep -A2 Validity
2. Remotely using openssl you can run below
# openssl s_client -showcerts -connect <HOST FQDN>:54321 | openssl x509 -text
-noout | grep -A2 Validity
ovirt-engine performs certificate checks every day (can be configured using engine-config
option CertificationValidityCheckTimeInHours) and it checks not only hosts certificates,
but also the engine certificate and the engine CA certificate. This check produces
following records in ovirt-engine audit log:
1. If the certificate has already expired then below audit log ALERT is created depending
on the type of certificate
- Host ${VdsName} certification has expired at ${ExpirationDate}. Please renew the
host's certification.
- Engine's certification has expired at ${ExpirationDate}. Please renew the
engine's certification.
- Engine's CA certification has expired at ${ExpirationDate}.
2. If the certificate is going to expire in less than 7 days, then below audit log ALERT
is created depending on the type of certificate
- Host ${VdsName} certification is about to expire at ${ExpirationDate}. Please renew
the host's certification.
- Engine's certification is about to expire at ${ExpirationDate}. Please renew
the engine's certification.
- Engine's CA certification is about to expire at ${ExpirationDate}.
3. If the certificate is going to expire in less than 30 days, then below audit log
WARNING is created depending on the type of certificate
- Host ${VdsName} certification is about to expire at ${ExpirationDate}. Please renew
the host's certification.
- Engine's certification is about to expire at ${ExpirationDate}. Please renew
the engine's certification.
- Engine's CA certification is about to expire at ${ExpirationDate}.
1042
days inactive
1043
days old
5 comments
3 participants
participants (3)
-
Konstantin Shalygin -
Martin Perina -
Sandro Bonazzola