certification expires: PKIX path validation failed

Hi, Some of my hosts came into a non responsive state since there certicate had expired: VDSM palomo command Get Host Capabilities failed: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed |openssl x509 -noout -enddate -in /etc/pki/vdsm/certs/vdsmcert.pem palomo notAfter=Apr 6 11:09:05 2022 GMT | The recommanded path to update certificates is to put hosts into maintenance and enroll certificates. But I can't anymore live migrate vms since the certificate is expired: 2022-04-13 10:34:12,022+0200 ERROR (migsrc/bf0f7628) [virt.vm] (vmId='bf0f7628-d70b-47a4-8569-5430e178f429') [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897) (migration:331) So is there a way to disable tls to migrate these vms so as to put the host into maintenance? No possibility of migration would imply to stop production vms, this is what we absolutely don't want! Any help much appreciated. || -- Nathanaël Blanchet Supervision réseau SIRE 227 avenue Professeur-Jean-Louis-Viala 34193 MONTPELLIER CEDEX 5 Tél. 33 (0)4 67 54 84 55 Fax 33 (0)4 67 54 84 14 blanchet@abes.fr

Nathanaël Blanchet <blanchet@abes.fr> writes:
Hi,
Some of my hosts came into a non responsive state since there certicate had expired:
VDSM palomo command Get Host Capabilities failed: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
|openssl x509 -noout -enddate -in /etc/pki/vdsm/certs/vdsmcert.pem palomo notAfter=Apr 6 11:09:05 2022 GMT |
The recommanded path to update certificates is to put hosts into maintenance and enroll certificates. But I can't anymore live migrate vms since the certificate is expired:
2022-04-13 10:34:12,022+0200 ERROR (migsrc/bf0f7628) [virt.vm] (vmId='bf0f7628-d70b-47a4-8569-5430e178f429') [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897) (migration:331)
So is there a way to disable tls to migrate these vms so as to put the host into maintenance?
Do you use encrypted migrations? I think the client certificate is verified only with encrypted migrations. You can disable encrypted migrations in the web UI among other migration settings in cluster or VM settings. If it fails also with non-encrypted migrations, *maybe* removing the client certificate could help. If disabling encrypted migrations is not possible, you can try to set migrate_tls_x509_verify option in /etc/libvirt/qemu.conf on the destination host to 0 (libvirt restart may be needed to apply the changed setting). I guess there could be also a way to run the Ansible role for updating the certificates manually (not recommended etc. etc. but perhaps still useful in this case) without putting the host into the maintenance. Just a speculation, I don’t know whether it’s actually possible and how to do it if it is. Regards, Milan
No possibility of migration would imply to stop production vms, this is what we absolutely don't want!
Any help much appreciated.
||

following https://access.redhat.com/solutions/3532921 solved my issue! (needs redhat registration but it worth) Le 13/04/2022 à 11:41, Milan Zamazal a écrit :
Nathanaël Blanchet <blanchet@abes.fr> writes:
Hi,
Some of my hosts came into a non responsive state since there certicate had expired:
VDSM palomo command Get Host Capabilities failed: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
|openssl x509 -noout -enddate -in /etc/pki/vdsm/certs/vdsmcert.pem palomo notAfter=Apr 6 11:09:05 2022 GMT |
The recommanded path to update certificates is to put hosts into maintenance and enroll certificates. But I can't anymore live migrate vms since the certificate is expired:
2022-04-13 10:34:12,022+0200 ERROR (migsrc/bf0f7628) [virt.vm] (vmId='bf0f7628-d70b-47a4-8569-5430e178f429') [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897) (migration:331)
So is there a way to disable tls to migrate these vms so as to put the host into maintenance? Do you use encrypted migrations? I think the client certificate is verified only with encrypted migrations. You can disable encrypted migrations in the web UI among other migration settings in cluster or VM settings.
If it fails also with non-encrypted migrations, *maybe* removing the client certificate could help.
If disabling encrypted migrations is not possible, you can try to set migrate_tls_x509_verify option in /etc/libvirt/qemu.conf on the destination host to 0 (libvirt restart may be needed to apply the changed setting).
I guess there could be also a way to run the Ansible role for updating the certificates manually (not recommended etc. etc. but perhaps still useful in this case) without putting the host into the maintenance. Just a speculation, I don’t know whether it’s actually possible and how to do it if it is.
Regards, Milan
No possibility of migration would imply to stop production vms, this is what we absolutely don't want!
Any help much appreciated.
||
-- Nathanaël Blanchet Supervision réseau SIRE 227 avenue Professeur-Jean-Louis-Viala 34193 MONTPELLIER CEDEX 5 Tél. 33 (0)4 67 54 84 55 Fax 33 (0)4 67 54 84 14 blanchet@abes.fr
participants (2)
-
Milan Zamazal
-
Nathanaël Blanchet