Certificates Expiration Problem - Urgent Help Needed
Hi ! Today my hosts (engine + all nodes) certificates expired and I re-run engine-setup to renew certificates. Then I did for each node host: Edit host -> Advanced parameters -> Fetch SSH public key (PEM) in order to update certificates on nodes, everything was finished just fine. Unfortunately, one of the most crucial nodes (node14) still shows this error: VDSM node14 command Get Host Capabilities failed: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed Restarted vdsms and vdsm-network, still same, node is marked as non-responsive, and all VM with "?" sign (unknown status). However, node14 pings without any problem, its storage domain shown in green (OK), and all VMs are running fine. Service vdsm-network status is OK, vdsmd is NOT: Aug 08 22:07:27 node14.***.lv vdsm[1264164]: ERROR ssl handshake: socket error, address: ::ffff:192.168.0.4 This node is running our accounting and stock control system, its storage domain holds VM disk of that software. If its nonoperational after restart, its a BIG trouble, I will not be able to migrate VM disk anywhere. Restoring accounting DB from daily backup is a lengthy process for 2 - 3 hours. Please advice what to do next. Thanks in advance.
Solution: https://access.redhat.com/solutions/3532921 -----邮件原件----- 发件人: Andrei Verovski <andreil1@starlett.lv> 发送时间: 2022年8月9日 3:14 收件人: users@ovirt.org 主题: [ovirt-users] Certificates Expiration Problem - Urgent Help Needed Hi ! Today my hosts (engine + all nodes) certificates expired and I re-run engine-setup to renew certificates. Then I did for each node host: Edit host -> Advanced parameters -> Fetch SSH public key (PEM) in order to update certificates on nodes, everything was finished just fine. Unfortunately, one of the most crucial nodes (node14) still shows this error: VDSM node14 command Get Host Capabilities failed: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed Restarted vdsms and vdsm-network, still same, node is marked as non-responsive, and all VM with "?" sign (unknown status). However, node14 pings without any problem, its storage domain shown in green (OK), and all VMs are running fine. Service vdsm-network status is OK, vdsmd is NOT: Aug 08 22:07:27 node14.***.lv vdsm[1264164]: ERROR ssl handshake: socket error, address: ::ffff:192.168.0.4 This node is running our accounting and stock control system, its storage domain holds VM disk of that software. If its nonoperational after restart, its a BIG trouble, I will not be able to migrate VM disk anywhere. Restoring accounting DB from daily backup is a lengthy process for 2 - 3 hours. Please advice what to do next. Thanks in advance. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/7ERPAMDT2KO4W6...
Hi, Looks like this is a suitable article. https://microdevsys.com/wp/get-host-capabilities-failed-general-sslengine-pr... <https://microdevsys.com/wp/get-host-capabilities-failed-general-sslengine-problem/> Please note I have problem with VDSM node14 command Get Host Capabilities failed: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed only on 1 node, everything else works just fine. Is this correct or outdated/obsolete ? [root@mdskvm-p01 vdsm]# /usr/libexec/vdsm/vdsm-gencerts.sh /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/keys/vdsmkey.pem /etc/pki/vdsm/certs/vdsmcert.pem [root@mdskvm-p01 vdsm]# [root@mdskvm-p01 vdsm]# ls -altri /usr/libexec/vdsm/vdsm-gencerts.sh /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/keys/vdsmkey.pem /etc/pki/vdsm/certs/vdsmcert.pem 67445862 -rwxr-xr-x. 1 root root 2362 Jul 9 05:36 /usr/libexec/vdsm/vdsm-gencerts.sh 45255 -rw——-. 1 vdsm kvm 5816 Sep 28 17:48 /etc/pki/vdsm/keys/vdsmkey.pem 203185926 -rw——-. 1 vdsm kvm 1127 Sep 28 17:48 /etc/pki/vdsm/certs/cacert.pem 203185790 -rw——-. 1 vdsm kvm 1241 Sep 28 17:48 /etc/pki/vdsm/certs/vdsmcert.pem [root@mdskvm-p01 vdsm]#
On 9 Aug 2022, at 03:43, adam_xu@adagene.com.cn wrote:
Solution: https://access.redhat.com/solutions/3532921
-----邮件原件----- 发件人: Andrei Verovski <andreil1@starlett.lv> 发送时间: 2022年8月9日 3:14 收件人: users@ovirt.org 主题: [ovirt-users] Certificates Expiration Problem - Urgent Help Needed
Hi !
Today my hosts (engine + all nodes) certificates expired and I re-run engine-setup to renew certificates.
Then I did for each node host: Edit host -> Advanced parameters -> Fetch SSH public key (PEM) in order to update certificates on nodes, everything was finished just fine.
Unfortunately, one of the most crucial nodes (node14) still shows this error:
VDSM node14 command Get Host Capabilities failed: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
Restarted vdsms and vdsm-network, still same, node is marked as non-responsive, and all VM with "?" sign (unknown status).
However, node14 pings without any problem, its storage domain shown in green (OK), and all VMs are running fine.
Service vdsm-network status is OK, vdsmd is NOT: Aug 08 22:07:27 node14.***.lv vdsm[1264164]: ERROR ssl handshake: socket error, address: ::ffff:192.168.0.4
This node is running our accounting and stock control system, its storage domain holds VM disk of that software. If its nonoperational after restart, its a BIG trouble, I will not be able to migrate VM disk anywhere. Restoring accounting DB from daily backup is a lengthy process for 2 - 3 hours.
Please advice what to do next.
Thanks in advance. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/7ERPAMDT2KO4W6... _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/SLO6UKLSHM4IGY...
/usr/libexec/vdsm/vdsm-gencerts.sh /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/keys/vdsmkey.pem /etc/pki/vdsm/certs/vdsmcert.pem Yields nothing. No error messages, and no updated certificates in /etc/pki/vdsm/certs/
On 9 Aug 2022, at 10:28, Andrei Verovski <andreil1@starlett.lv> wrote:
Hi,
Looks like this is a suitable article. https://microdevsys.com/wp/get-host-capabilities-failed-general-sslengine-pr...
Please note I have problem with VDSM node14 command Get Host Capabilities failed: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
only on 1 node, everything else works just fine.
Is this correct or outdated/obsolete ?
[root@mdskvm-p01 vdsm]# /usr/libexec/vdsm/vdsm-gencerts.sh /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/keys/vdsmkey.pem /etc/pki/vdsm/certs/vdsmcert.pem [root@mdskvm-p01 vdsm]# [root@mdskvm-p01 vdsm]# ls -altri /usr/libexec/vdsm/vdsm-gencerts.sh /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/keys/vdsmkey.pem /etc/pki/vdsm/certs/vdsmcert.pem 67445862 -rwxr-xr-x. 1 root root 2362 Jul 9 05:36 /usr/libexec/vdsm/vdsm-gencerts.sh 45255 -rw——-. 1 vdsm kvm 5816 Sep 28 17:48 /etc/pki/vdsm/keys/vdsmkey.pem 203185926 -rw——-. 1 vdsm kvm 1127 Sep 28 17:48 /etc/pki/vdsm/certs/cacert.pem 203185790 -rw——-. 1 vdsm kvm 1241 Sep 28 17:48 /etc/pki/vdsm/certs/vdsmcert.pem [root@mdskvm-p01 vdsm]#
On 9 Aug 2022, at 03:43, adam_xu@adagene.com.cn wrote:
Solution: https://access.redhat.com/solutions/3532921
-----邮件原件----- 发件人: Andrei Verovski <andreil1@starlett.lv> 发送时间: 2022年8月9日 3:14 收件人: users@ovirt.org 主题: [ovirt-users] Certificates Expiration Problem - Urgent Help Needed
Hi !
Today my hosts (engine + all nodes) certificates expired and I re-run engine-setup to renew certificates.
Then I did for each node host: Edit host -> Advanced parameters -> Fetch SSH public key (PEM) in order to update certificates on nodes, everything was finished just fine.
Unfortunately, one of the most crucial nodes (node14) still shows this error:
VDSM node14 command Get Host Capabilities failed: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
Restarted vdsms and vdsm-network, still same, node is marked as non-responsive, and all VM with "?" sign (unknown status).
However, node14 pings without any problem, its storage domain shown in green (OK), and all VMs are running fine.
Service vdsm-network status is OK, vdsmd is NOT: Aug 08 22:07:27 node14.***.lv vdsm[1264164]: ERROR ssl handshake: socket error, address: ::ffff:192.168.0.4
This node is running our accounting and stock control system, its storage domain holds VM disk of that software. If its nonoperational after restart, its a BIG trouble, I will not be able to migrate VM disk anywhere. Restoring accounting DB from daily backup is a lengthy process for 2 - 3 hours.
Please advice what to do next.
Thanks in advance. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/7ERPAMDT2KO4W6... _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/SLO6UKLSHM4IGY...
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/FOC2BYMJVGB7BJ...
I checked this bash vdsm-gencerts.sh, it does nothing if certificate files present. Renamed old certificates to .*old, now new certificates present. After vdsmd and vdsm-network restart: node log: Aug 09 12:10:44 node14.xxx vdsm[1399211]: WARN MOM not available. Error: [Errno 111] Connection refused Engine log: 2022-08-09 12:17:11,419+03 ERROR [org.ovirt.engine.core.vdsbroker.monitoring.HostMonitoring] (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-11) [] Unable to RefreshCapabilities: VDSNetworkException: VDSGenericException: VDSNetworkException: Message timeout which can be caused by communication issues Is this correct procedure or this new node’s certificates had to be imported somewhere into Engine? I had to do a bit of hacking to get this node up and migrate accounting VM to another node. Thanks.
On 9 Aug 2022, at 11:16, Andrei Verovski <andreil1@starlett.lv> wrote:
/usr/libexec/vdsm/vdsm-gencerts.sh /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/keys/vdsmkey.pem /etc/pki/vdsm/certs/vdsmcert.pem
Yields nothing. No error messages, and no updated certificates in /etc/pki/vdsm/certs/
On 9 Aug 2022, at 10:28, Andrei Verovski <andreil1@starlett.lv> wrote:
Hi,
Looks like this is a suitable article. https://microdevsys.com/wp/get-host-capabilities-failed-general-sslengine-pr...
Please note I have problem with VDSM node14 command Get Host Capabilities failed: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
only on 1 node, everything else works just fine.
Is this correct or outdated/obsolete ?
[root@mdskvm-p01 vdsm]# /usr/libexec/vdsm/vdsm-gencerts.sh /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/keys/vdsmkey.pem /etc/pki/vdsm/certs/vdsmcert.pem [root@mdskvm-p01 vdsm]# [root@mdskvm-p01 vdsm]# ls -altri /usr/libexec/vdsm/vdsm-gencerts.sh /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/keys/vdsmkey.pem /etc/pki/vdsm/certs/vdsmcert.pem 67445862 -rwxr-xr-x. 1 root root 2362 Jul 9 05:36 /usr/libexec/vdsm/vdsm-gencerts.sh 45255 -rw——-. 1 vdsm kvm 5816 Sep 28 17:48 /etc/pki/vdsm/keys/vdsmkey.pem 203185926 -rw——-. 1 vdsm kvm 1127 Sep 28 17:48 /etc/pki/vdsm/certs/cacert.pem 203185790 -rw——-. 1 vdsm kvm 1241 Sep 28 17:48 /etc/pki/vdsm/certs/vdsmcert.pem [root@mdskvm-p01 vdsm]#
On 9 Aug 2022, at 03:43, adam_xu@adagene.com.cn wrote:
Solution: https://access.redhat.com/solutions/3532921
-----邮件原件----- 发件人: Andrei Verovski <andreil1@starlett.lv> 发送时间: 2022年8月9日 3:14 收件人: users@ovirt.org 主题: [ovirt-users] Certificates Expiration Problem - Urgent Help Needed
Hi !
Today my hosts (engine + all nodes) certificates expired and I re-run engine-setup to renew certificates.
Then I did for each node host: Edit host -> Advanced parameters -> Fetch SSH public key (PEM) in order to update certificates on nodes, everything was finished just fine.
Unfortunately, one of the most crucial nodes (node14) still shows this error:
VDSM node14 command Get Host Capabilities failed: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
Restarted vdsms and vdsm-network, still same, node is marked as non-responsive, and all VM with "?" sign (unknown status).
However, node14 pings without any problem, its storage domain shown in green (OK), and all VMs are running fine.
Service vdsm-network status is OK, vdsmd is NOT: Aug 08 22:07:27 node14.***.lv vdsm[1264164]: ERROR ssl handshake: socket error, address: ::ffff:192.168.0.4
This node is running our accounting and stock control system, its storage domain holds VM disk of that software. If its nonoperational after restart, its a BIG trouble, I will not be able to migrate VM disk anywhere. Restoring accounting DB from daily backup is a lengthy process for 2 - 3 hours.
Please advice what to do next.
Thanks in advance. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/7ERPAMDT2KO4W6... _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/SLO6UKLSHM4IGY...
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/FOC2BYMJVGB7BJ...
Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/C6WGV63BHPW5UX...
participants (2)
-
adam_xu@adagene.com.cn -
Andrei Verovski