Notified that Engine's certification is about to expire but no documentation to renew it
Hello We are receiving the following notifications from our ovirt manager : Message:Engine's certification is about to expire at 2022-05-03. Please renew the engine's certification. Severity:WARNING Effectively : # openssl x509 -in /etc/pki/ovirt-engine/certs/engine.cer -startdate -enddate -noout notBefore=Mar 30 04:48:15 2021 GMT notAfter=May 3 04:48:15 2022 GMT However I can not find any documentation on how to renew this certificate. The following doc only convers changing apache-ca.pem & apache.cer, and not engine.cer Doc oVirt : https://ovirt.org/documentation/administration_guide/index.html#Replacing_th... Doc RHV : https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/htm... Any help ? Guillaume Pavese Ingénieur Système et Réseau Interactiv-Group -- Ce message et toutes les pièces jointes (ci-après le “message”) sont établis à l’intention exclusive de ses destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le détruire et d’en avertir immédiatement l’expéditeur. Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. L’internet ne permettant pas d’assurer l’intégrité de ce message . Interactiv-group (et ses filiales) décline(nt) toute responsabilité au titre de ce message, dans l’hypothèse ou il aurait été modifié. IT, ES, UK. <https://interactiv-group.com/disclaimer.html>
On Mon, Apr 25, 2022 at 2:45 PM Guillaume Pavese <guillaume.pavese@interactiv-group.com> wrote:
Hello
We are receiving the following notifications from our ovirt manager :
Message:Engine's certification is about to expire at 2022-05-03. Please renew the engine's certification. Severity:WARNING
Effectively :
# openssl x509 -in /etc/pki/ovirt-engine/certs/engine.cer -startdate -enddate -noout notBefore=Mar 30 04:48:15 2021 GMT notAfter=May 3 04:48:15 2022 GMT
However I can not find any documentation on how to renew this certificate. The following doc only convers changing apache-ca.pem & apache.cer, and not engine.cer
Doc oVirt : https://ovirt.org/documentation/administration_guide/index.html#Replacing_th... Doc RHV : https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/htm...
Any help ?
Please try running 'engine-setup'. If you want to prevent it from upgrading the engine, you can try 'engine-setup --offline'. You might want to create a github issue about the documentation missing this information. If you do, please clarify where you expected it to appear and what you searched for when looking for it. Alternatively, patches are welcome :-), the oVirt documentation is managed in a github repo, with a link in each page "Edit this page". Good luck and best regards, -- Didi
Thank you Didi, I can confirm that engine-setup detected the approaching expiration of the engine certificate and proposed to renew it. We'll try proposing a documentation fix Guillaume Pavese Ingénieur Système et Réseau Interactiv-Group On Mon, Apr 25, 2022 at 9:02 PM Yedidyah Bar David <didi@redhat.com> wrote:
On Mon, Apr 25, 2022 at 2:45 PM Guillaume Pavese <guillaume.pavese@interactiv-group.com> wrote:
Hello
We are receiving the following notifications from our ovirt manager :
Message:Engine's certification is about to expire at 2022-05-03. Please
renew the engine's certification.
Severity:WARNING
Effectively :
# openssl x509 -in /etc/pki/ovirt-engine/certs/engine.cer -startdate -enddate -noout notBefore=Mar 30 04:48:15 2021 GMT notAfter=May 3 04:48:15 2022 GMT
However I can not find any documentation on how to renew this certificate. The following doc only convers changing apache-ca.pem & apache.cer, and not engine.cer
Doc oVirt : https://ovirt.org/documentation/administration_guide/index.html#Replacing_th... Doc RHV : https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/htm...
Any help ?
Please try running 'engine-setup'. If you want to prevent it from upgrading the engine, you can try 'engine-setup --offline'.
You might want to create a github issue about the documentation missing this information. If you do, please clarify where you expected it to appear and what you searched for when looking for it. Alternatively, patches are welcome :-), the oVirt documentation is managed in a github repo, with a link in each page "Edit this page".
Good luck and best regards, -- Didi
-- Ce message et toutes les pièces jointes (ci-après le “message”) sont établis à l’intention exclusive de ses destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le détruire et d’en avertir immédiatement l’expéditeur. Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. L’internet ne permettant pas d’assurer l’intégrité de ce message . Interactiv-group (et ses filiales) décline(nt) toute responsabilité au titre de ce message, dans l’hypothèse ou il aurait été modifié. IT, ES, UK. <https://interactiv-group.com/disclaimer.html>
Documentation is being updated here: https://github.com/oVirt/ovirt-site/pull/2866 Il giorno lun 25 apr 2022 alle ore 16:28 Guillaume Pavese < guillaume.pavese@interactiv-group.com> ha scritto:
Thank you Didi,
I can confirm that engine-setup detected the approaching expiration of the engine certificate and proposed to renew it. We'll try proposing a documentation fix
Guillaume Pavese Ingénieur Système et Réseau Interactiv-Group
On Mon, Apr 25, 2022 at 9:02 PM Yedidyah Bar David <didi@redhat.com> wrote:
On Mon, Apr 25, 2022 at 2:45 PM Guillaume Pavese <guillaume.pavese@interactiv-group.com> wrote:
Hello
We are receiving the following notifications from our ovirt manager :
Message:Engine's certification is about to expire at 2022-05-03. Please
renew the engine's certification.
Severity:WARNING
Effectively :
# openssl x509 -in /etc/pki/ovirt-engine/certs/engine.cer -startdate -enddate -noout notBefore=Mar 30 04:48:15 2021 GMT notAfter=May 3 04:48:15 2022 GMT
However I can not find any documentation on how to renew this certificate. The following doc only convers changing apache-ca.pem & apache.cer, and not engine.cer
Doc oVirt : https://ovirt.org/documentation/administration_guide/index.html#Replacing_th... Doc RHV : https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/htm...
Any help ?
Please try running 'engine-setup'. If you want to prevent it from upgrading the engine, you can try 'engine-setup --offline'.
You might want to create a github issue about the documentation missing this information. If you do, please clarify where you expected it to appear and what you searched for when looking for it. Alternatively, patches are welcome :-), the oVirt documentation is managed in a github repo, with a link in each page "Edit this page".
Good luck and best regards, -- Didi
Ce message et toutes les pièces jointes (ci-après le “message”) sont établis à l’intention exclusive de ses destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le détruire et d’en avertir immédiatement l’expéditeur. Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. L’internet ne permettant pas d’assurer l’intégrité de ce message . Interactiv-group (et ses filiales) décline(nt) toute responsabilité au titre de ce message, dans l’hypothèse ou il aurait été modifié. IT, ES, UK. <https://interactiv-group.com/disclaimer.html> _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/BN23FQXEWIMIPT...
-- Sandro Bonazzola MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV Red Hat EMEA <https://www.redhat.com/> sbonazzo@redhat.com <https://www.redhat.com/> *Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.*
Hi Guillaume, to renew host certificates you need to perform following actions in webadmin or RESTAPI: 1. Move the host to Maintenance status 2. Execute Enroll Certificates for the host 3. Watch Events on the host to see if Enroll Certificates finished successfully 4. Execute Activate for the host Regards, Martin On Mon, Apr 25, 2022 at 1:46 PM Guillaume Pavese < guillaume.pavese@interactiv-group.com> wrote:
Hello
We are receiving the following notifications from our ovirt manager :
Message:Engine's certification is about to expire at 2022-05-03. Please renew the engine's certification. Severity:WARNING
Effectively :
# openssl x509 -in /etc/pki/ovirt-engine/certs/engine.cer -startdate -enddate -noout notBefore=Mar 30 04:48:15 2021 GMT notAfter=May 3 04:48:15 2022 GMT
However I can not find any documentation on how to renew this certificate. The following doc only convers changing apache-ca.pem & apache.cer, and not engine.cer
Doc oVirt : https://ovirt.org/documentation/administration_guide/index.html#Replacing_th... Doc RHV : https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/htm...
Any help ?
Guillaume Pavese Ingénieur Système et Réseau Interactiv-Group
Ce message et toutes les pièces jointes (ci-après le “message”) sont établis à l’intention exclusive de ses destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le détruire et d’en avertir immédiatement l’expéditeur. Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. L’internet ne permettant pas d’assurer l’intégrité de ce message . Interactiv-group (et ses filiales) décline(nt) toute responsabilité au titre de ce message, dans l’hypothèse ou il aurait été modifié. IT, ES, UK. <https://interactiv-group.com/disclaimer.html> _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/HWHBRHZDCHKRTM...
-- Martin Perina Manager, Software Engineering Red Hat Czech s.r.o.
Dear all, I had a similar problem with engine certificate and solved it, reading this thread. The strange thing is that now every time I log on the engine I get warnings about host certificates about to expire, even if the expiry date is in 2023. This looks weird to me and I wonder if there is somewhere a setting to specify how in advance the warning should be given. Here is an example: Any hint? Thanks, Andrea On 25/04/2022 14:04, Martin Perina wrote:
Hi Guillaume,
to renew host certificates you need to perform following actions in webadmin or RESTAPI:
1. Move the host to Maintenance status 2. Execute Enroll Certificates for the host 3. Watch Events on the host to see if Enroll Certificates finished successfully 4. Execute Activate for the host
Regards, Martin
On Mon, Apr 25, 2022 at 1:46 PM Guillaume Pavese <guillaume.pavese@interactiv-group.com> wrote:
Hello
We are receiving the following notifications from our ovirt manager :
Message:Engine's certification is about to expire at 2022-05-03. Please renew the engine's certification. Severity:WARNING
Effectively :
# openssl x509 -in /etc/pki/ovirt-engine/certs/engine.cer -startdate -enddate -noout notBefore=Mar 30 04:48:15 2021 GMT notAfter=May 3 04:48:15 2022 GMT
However I can not find any documentation on how to renew this certificate. The following doc only convers changing apache-ca.pem & apache.cer, and not engine.cer
Doc oVirt : https://ovirt.org/documentation/administration_guide/index.html#Replacing_th... Doc RHV : https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/htm...
Any help ?
Guillaume Pavese IngénieurSystèmeet Réseau Interactiv-Group
Ce message et toutes les pièces jointes (ci-après le “message”) sont établis à l’intention exclusive de ses destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le détruire et d’en avertir immédiatement l’expéditeur. Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. L’internet ne permettant pas d’assurer l’intégrité de ce message . Interactiv-group (et ses filiales) décline(nt) toute responsabilité au titre de ce message, dans l’hypothèse ou il aurait été modifié. IT, ES, UK. <https://interactiv-group.com/disclaimer.html>
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/HWHBRHZDCHKRTM...
-- Martin Perina Manager, Software Engineering Red Hat Czech s.r.o.
_______________________________________________ Users mailing list --users@ovirt.org To unsubscribe send an email tousers-leave@ovirt.org Privacy Statement:https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct:https://www.ovirt.org/community/about/community-guidelines/ List Archives:https://lists.ovirt.org/archives/list/users@ovirt.org/message/ROJDGIDLQRMQ6E...
-- Andrea Chierici - INFN-CNAF Viale Berti Pichat 6/2, 40127 BOLOGNA Office Tel: +39 051 2095463 SkypeID ataruz --
Andrea Chierici <andrea.chierici@cnaf.infn.it> writes:
The strange thing is that now every time I log on the engine I get warnings about host certificates about to expire, even if the expiry date is in 2023. This looks weird to me and I wonder if there is somewhere a setting to specify how in advance the warning should be given.
Both the expiration and warning periods were extended in 4.5.1. Next time you renew your host certificates, they will be valid for 5 years. There are config values to change the warning periods but I wouldn't recommend using them. It's better to get the warning sufficiently in advance rather than being forced to migrate your VMs there at the last moment. Regards, Milan
Hi, Should I do my standalone engine before my hosts or it doesn't matter?
participants (7)
-
Andrea Chierici -
Dominique D -
Guillaume Pavese -
Martin Perina -
Milan Zamazal -
Sandro Bonazzola -
Yedidyah Bar David