PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
Hello. web access on ovirt-engine is not working. find information about certificate renewal: hosted-engine --set-maintenance --mode=global !! Cluster is in GLOBAL MAINTENANCE mode !! run engine-setup --offline Renew certificates? (Yes, No) [No]: yes but got an error [ ERROR ] It seems that you are running your engine inside of the hosted-engine VM and are not in "Global Maintenance" mode. In that case you should put the system into the "Global Maintenance" mode before running engine-setup, or the hosted-engine HA agent might kill the machine, which might corrupt your data. [ ERROR ] Failed to execute stage 'Setup validation': Hosted Engine setup detected, but Global Maintenance is not set.
Hello. I just encountered this myself last night. I found the solution on red hats customer portal. It was suggested to run setup-engine once more, as it will renew the self-signed certficates. It worked for me, though I'm running on oVirt 4.5.4-1.el8. Remember to run this command on a oVirt NODE (not the engine): hosted-engine --set-maintenance --mode=global And the run the following command in you selfhosted engine: engine-setup I did not use the --offline switch. It renewed the certificates and all is good in my case. However, there is a case with your exact error on the Red Hat Customer Portal, even when you have enabled global maintenance mode. See here: https://access.redhat.com/solutions/2689961 (in case I'm not allowed to post links, I'm sorry, let me know and I will remove it). The root cause appears to be related to a check build into setup-engine to verify if the hosted-engine is up. In your case it might be showing as down, causing this error message. According to the Customer Portal this might happen when the environment was restored using engine-backup from an old HE environment. So the HE VM which exist in the current environment was the old HE VM with old UUID. It might need manual manipulation of the database to make sure tthe UUID of the new engine is installed in the database, which the results in the correct up/down state when the setup-engine check. The article seems to suggest that removing the UUID of the old engine would be sufficient to resolve the problems. The following SQL statements were supplied to verify the state of the engine in the database and might give you a clue as to what to change in the database: SELECT vm_guid, run_on_vds FROM vms WHERE vm_name ='HostedEngine'; SELECT vds_id, ha_global_maintenance FROM vds_statistics WHERE vds_id = 'vds-uuid'; I guess in your case 2 entries appear on the first statement, both the new and old HostedEngine VM. Removing the old one, would probably fix your issue. I have no idea if you did restore an eenvironment at some point, or if you are dealing with some other corruption? I hope you can sort it... let us know how it goes.
I found the link https://www.mail-archive.com/users@ovirt.org/msg71302.html "...Knowing that the remaining hosts are actually in global service, I issued: engine setup --otopi-environment=OVESETUP_CONFIG/continueSetupOnHEVM=bool: True --offline ". This recipe helped me.
Thats a brilliant catch... noted for future use :-) It looks like you make engine-setup ignore that check, suggesting something is not right somewhere in the HE environment. But it fixes the cert problem and as there is nothing else the matter, it serves a purpose :-)
participants (2)
-
change_jeeringly679@dralias.com -
grig.4n@gmail.com