Nathanaël Blanchet <blanchet(a)abes.fr> writes:
Hi,
Some of my hosts came into a non responsive state since there
certicate had expired:
VDSM palomo command Get Host Capabilities failed: PKIX path validation
failed: java.security.cert.CertPathValidatorException: validity check
failed
|openssl x509 -noout -enddate -in /etc/pki/vdsm/certs/vdsmcert.pem
palomo notAfter=Apr 6 11:09:05 2022 GMT |
The recommanded path to update certificates is to put hosts into
maintenance and enroll certificates.
But I can't anymore live migrate vms since the certificate is expired:
2022-04-13 10:34:12,022+0200 ERROR (migsrc/bf0f7628) [virt.vm]
(vmId='bf0f7628-d70b-47a4-8569-5430e178f429') [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
(migration:331)
So is there a way to disable tls to migrate these vms so as to put the
host into maintenance?
Do you use encrypted migrations? I think the client certificate is
verified only with encrypted migrations. You can disable encrypted
migrations in the web UI among other migration settings in cluster or VM
settings.
If it fails also with non-encrypted migrations, *maybe* removing the
client certificate could help.
If disabling encrypted migrations is not possible, you can try to set
migrate_tls_x509_verify option in /etc/libvirt/qemu.conf on the
destination host to 0 (libvirt restart may be needed to apply the
changed setting).
I guess there could be also a way to run the Ansible role for updating
the certificates manually (not recommended etc. etc. but perhaps still
useful in this case) without putting the host into the maintenance.
Just a speculation, I don’t know whether it’s actually possible and how
to do it if it is.
Regards,
Milan
No possibility of migration would imply to stop production vms, this
is what we absolutely don't want!
Any help much appreciated.
||