Hi, LAst month a renewed our hosts certificates by the "Enroll certificates" method. The "/etc/pki/vdsm/libvirt-vnc/server-cert.pem" certificate wasn't renewed on my nodes (other certificates were). How can i renew this certificate too? thanks csabany
Hi, Dne 5/2/22 v 17:58 csabany@freemail.hu napsal(a):
Hi,
LAst month a renewed our hosts certificates by the "Enroll certificates" method. The "/etc/pki/vdsm/libvirt-vnc/server-cert.pem" certificate wasn't renewed on my nodes (other certificates were).
How can i renew this certificate too?
on host just copy renewed vdsm key and cert to libvirt-vnc cp /etc/pki/vdsm/certs/vdsmcert.pem /etc/pki/vdsm/libvirt-vnc/server-cert.pem cp /etc/pki/vdsm/keys/vdsmkey.pem /etc/pki/vdsm/libvirt-vnc/server-key.pem when you update also CA then cp /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-vnc/ca-cert.pem Cheers, Jiri
thanks csabany _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/L3HRCMX6NMF2TC...
Hi Jiri, I understand the libvirt-vnc part of this thread but can you explain the following in more detail please: "when you update also CA then cp /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-vnc/ca-cert.pem" When does /etc/pki/vdsm/certs/cacert.pem get updated (checked mine and it's 2021) if not by the 'Enroll Certificate' action? Kind Regards Simon...
On 5/5/22 10:42, simon@justconnect.ie wrote:
Hi Jiri,
I understand the libvirt-vnc part of this thread but can you explain the following in more detail please:
"when you update also CA then
cp /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-vnc/ca-cert.pem"
sorry, it is probably not necessary. In my particular case I had expired engine.cer so I have regenerate it during engine-setup process. Then I enroll certificates on all hosts. After that I mentioned that migrations to some hosts fails. Qemu log shows 2022-05-02T13:55:05.987598Z qemu-kvm: Our own certificate /etc/pki/vdsm/libvirt-vnc/server-cert.pem failed validation against /etc/pki/vdsm/libvirt-vnc/ca-cert.pem: The certificate hasn't got a known issuer so I copied key, cert and also cacert.pem to libvirt-vnc which solves my issue.
When does /etc/pki/vdsm/certs/cacert.pem get updated (checked mine and it's 2021) if not by the 'Enroll Certificate' action?
I believe cacert could be updated during engine-setup process but I am not sure about this. In my case CA was not renewed openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -text Validity Not Before: Aug 30 14:45:05 2015 GMT Not After : Aug 28 14:45:05 2025 GMT so I have no idea why /etc/pki/vdsm/libvirt-vnc/server-cert.pem cannot be validated against /etc/pki/vdsm/libvirt-vnc/ca-cert.pem on host. Copying /etc/pki/vdsm/certs/cacert.pem to /etc/pki/vdsm/libvirt-vnc/ca-cert.pem solved this issue... Cheers, Jiri
Kind Regards
Simon... _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/HVT3KMVESR5ND7...
On Mon, May 2, 2022 at 6:02 PM <csabany@freemail.hu> wrote:
Hi,
LAst month a renewed our hosts certificates by the "Enroll certificates" method. The "/etc/pki/vdsm/libvirt-vnc/server-cert.pem" certificate wasn't renewed on my nodes (other certificates were).
How can i renew this certificate too?
thanks csabany
Actually I think this could be a bug in enrolling certificate job on hosts from web admin gui. I'm having the same problem updating from downstream RHV 4.4.10-6 to 4.4.10-7 with RHV-H hosts and the enrolling of certificates takes in consideration these directories /etc/pki/libvirt /etc/pki/vdsm/certs /etc/pki/vdsm/libvirt-migrate /etc/pki/vdsm/libvirt-spice But not: /etc/pki/vdsm/libvirt-vnc I think it could impact oVirt too. In case Red Hat guys want to see logs of my RHV environment, I've opened the case 03212406 for this problem. Gianluca
On Fri, May 6, 2022 at 10:44 AM Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:
On Mon, May 2, 2022 at 6:02 PM <csabany@freemail.hu> wrote:
Hi,
LAst month a renewed our hosts certificates by the "Enroll certificates" method. The "/etc/pki/vdsm/libvirt-vnc/server-cert.pem" certificate wasn't renewed on my nodes (other certificates were).
How can i renew this certificate too?
thanks csabany
Actually I think this could be a bug in enrolling certificate job on hosts from web admin gui. I'm having the same problem updating from downstream RHV 4.4.10-6 to 4.4.10-7 with RHV-H hosts and the enrolling of certificates takes in consideration these directories
/etc/pki/libvirt /etc/pki/vdsm/certs /etc/pki/vdsm/libvirt-migrate /etc/pki/vdsm/libvirt-spice
But not: /etc/pki/vdsm/libvirt-vnc
I think it could impact oVirt too.
In case Red Hat guys want to see logs of my RHV environment, I've opened the case 03212406 for this problem.
Gianluca
I forgot to say that the impact in my case is that due to this problem I can't live migrate VMs between the updated hosts, because the libvirt-vnc certificate of destination host is now expired... and in logs of source host I get: libvirt.libvirtError: internal error: process exited while connecting to monitor: 2022-05-05T07:31:25.922766Z qemu-kvm: The server certificate /etc/pki/vdsm/libvirt-vnc/server-cert.pem has expired Perhaps is due to having graphics protocol: Spice+VNC in VM console configuration, so both certificates (spice and vnc) are checked before migration. Not sure Gianluca
On Fri, May 6, 2022 at 10:59 AM Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:
On Fri, May 6, 2022 at 10:44 AM Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:
On Mon, May 2, 2022 at 6:02 PM <csabany@freemail.hu> wrote:
Hi,
LAst month a renewed our hosts certificates by the "Enroll certificates" method. The "/etc/pki/vdsm/libvirt-vnc/server-cert.pem" certificate wasn't renewed on my nodes (other certificates were).
How can i renew this certificate too?
thanks csabany
Actually I think this could be a bug in enrolling certificate job on hosts from web admin gui. I'm having the same problem updating from downstream RHV 4.4.10-6 to 4.4.10-7 with RHV-H hosts and the enrolling of certificates takes in consideration these directories
In my Red Hat case confirmed that bug is already opened for this problem: https://bugzilla.redhat.com/show_bug.cgi?id=2043146
Il giorno ven 6 mag 2022 alle ore 11:40 Gianluca Cecchi < gianluca.cecchi@gmail.com> ha scritto:
On Fri, May 6, 2022 at 10:59 AM Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:
On Fri, May 6, 2022 at 10:44 AM Gianluca Cecchi < gianluca.cecchi@gmail.com> wrote:
On Mon, May 2, 2022 at 6:02 PM <csabany@freemail.hu> wrote:
Hi,
LAst month a renewed our hosts certificates by the "Enroll certificates" method. The "/etc/pki/vdsm/libvirt-vnc/server-cert.pem" certificate wasn't renewed on my nodes (other certificates were).
How can i renew this certificate too?
thanks csabany
Actually I think this could be a bug in enrolling certificate job on hosts from web admin gui. I'm having the same problem updating from downstream RHV 4.4.10-6 to 4.4.10-7 with RHV-H hosts and the enrolling of certificates takes in consideration these directories
In my Red Hat case confirmed that bug is already opened for this problem: https://bugzilla.redhat.com/show_bug.cgi?id=2043146
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/2OV43X2DMAFDZH...
+Milan Zamazal <mzamazal@redhat.com> +Yedidyah Bar David <didi@redhat.com> +Martin Perina <mperina@redhat.com> +Michal Skrivanek <mskrivan@redhat.com> can you please have a look? -- Sandro Bonazzola MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV Red Hat EMEA <https://www.redhat.com/> sbonazzo@redhat.com <https://www.redhat.com/> *Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.*
On Fri, May 6, 2022 at 3:22 PM Sandro Bonazzola <sbonazzo@redhat.com> wrote:
Il giorno ven 6 mag 2022 alle ore 11:40 Gianluca Cecchi <gianluca.cecchi@gmail.com> ha scritto:
On Fri, May 6, 2022 at 10:59 AM Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:
On Fri, May 6, 2022 at 10:44 AM Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:
On Mon, May 2, 2022 at 6:02 PM <csabany@freemail.hu> wrote:
Hi,
LAst month a renewed our hosts certificates by the "Enroll certificates" method. The "/etc/pki/vdsm/libvirt-vnc/server-cert.pem" certificate wasn't renewed on my nodes (other certificates were).
How can i renew this certificate too?
thanks csabany
Actually I think this could be a bug in enrolling certificate job on hosts from web admin gui. I'm having the same problem updating from downstream RHV 4.4.10-6 to 4.4.10-7 with RHV-H hosts and the enrolling of certificates takes in consideration these directories
In my Red Hat case confirmed that bug is already opened for this problem: https://bugzilla.redhat.com/show_bug.cgi?id=2043146
Seems like this is indeed the issue. Should already be fixed in 4.5. The bug is on RHV, not oVirt, so is still in VERIFIED - will be closed once RHV has it. For oVirt, AFAICT, it's already fixed. If you still run into this issue with current 4.5, please attach relevant logs to this bug (or create a new one, if you suspect it's unrelated). Thanks. Best regards, -- Didi
participants (6)
-
csabany@freemail.hu -
Gianluca Cecchi -
Jiří Sléžka -
Sandro Bonazzola -
simon@justconnect.ie -
Yedidyah Bar David