Good evening all,
I have a three host installation with a separate dedicated bare metal
system for the engine, running Ovirt 4.5.2.4-1.el8.
This afternoon, the engine lost communication with one of the hosts. The
engine log says the certificate is expired.
The official solution appears to be to put the host into maintenance mode
then re-enroll it.
Unfortunately, because the certificate is expired, the engine cannot switch
to maintenance mode or control the VM's to shut them down.
Error while executing action: Cannot switch Host to Maintenance mode.
Host still has running VMs on it and is in Non Responsive state.
See log excerpt below
What is the correct way to update/reinstate a certificate in a running
cluster when the engine does not acknowledge the host is operational due to
an expired certificate?
Thank you.
*David Johnson*
Log excerpt:
2023-07-20 16:27:46,904-05 INFO
[org.ovirt.vdsm.jsonrpc.client.reactors.ReactorClient] (SSL Stomp Reactor)
[] Connecting to /192.168.2.18
2023-07-20 16:27:46,904-05 INFO
[org.ovirt.vdsm.jsonrpc.client.reactors.ReactorClient] (SSL Stomp Reactor)
[] *Connected to /192.168.2.18:54321 <
http://192.168.2.18:54321>*
2023-07-20 16:27:46,912-05 ERROR
[org.ovirt.vdsm.jsonrpc.client.reactors.Reactor] (SSL Stomp Reactor) [] *Unable
to process messages Received fatal alert: certificate_expired*
2023-07-20 16:27:46,914-05 ERROR
[org.ovirt.engine.core.vdsbroker.monitoring.HostMonitoring]
(EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-52) []
Unable to RefreshCapabilities: VDSNetworkException: VDSGenericException:
VDSNetworkException: Received fatal alert: certificate_expired
2023-07-20 16:27:47,356-05 ERROR
[org.ovirt.engine.core.vdsbroker.monitoring.HostMonitoring]
(EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-34) []
Unable to RefreshCapabilities: ClientConnectionException: SSL session is
invalid
2023-07-20 16:27:47,356-05 WARN
[org.ovirt.engine.core.bll.lock.InMemoryLockManager]
(EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-34) []
Trying to release exclusive lock which does not exist, lock key:
'f69d35b2-7666-4ac6-8645-2f119cf2ce1cVDS_INIT'
2023-07-20 16:27:47,356-05 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.GetCapabilitiesAsyncVDSCommand]
(EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-34) []
Command
'org.ovirt.engine.core.vdsbroker.vdsbroker.GetCapabilitiesAsyncVDSCommand'
return value
'org.ovirt.engine.core.vdsbroker.vdsbroker.VDSInfoReturn@7d03f4f0'
2023-07-20 16:27:47,356-05 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.GetCapabilitiesAsyncVDSCommand]
(EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-34) []
HostName = ovirt-host-03
2023-07-20 16:27:47,356-05 ERROR
[org.ovirt.engine.core.vdsbroker.vdsbroker.GetCapabilitiesAsyncVDSCommand]
(EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-34) []
Command 'GetCapabilitiesAsyncVDSCommand(HostName = ovirt-host-03,
VdsIdAndVdsVDSCommandParametersBase:{hostId='f69d35b2-7666-4ac6-8645-2f119cf2ce1c',
vds='Host[ovirt-host-03,f69d35b2-7666-4ac6-8645-2f119cf2ce1c]'})' execution
failed: org.ovirt.vdsm.jsonrpc.client.ClientConnectionException: *SSL
session is invalid*