6:58 p.m.
Hi,
LAst month a renewed our hosts certificates by the "Enroll certificates"
method.
The "/etc/pki/vdsm/libvirt-vnc/server-cert.pem" certificate wasn't renewed
on my nodes (other certificates were).
How can i renew this certificate too?
thanks
csabany
11:20 p.m.
Hi,
Dne 5/2/22 v 17:58 csabany(a)freemail.hu napsal(a):
Hi,
LAst month a renewed our hosts certificates by the "Enroll certificates"
method.
The "/etc/pki/vdsm/libvirt-vnc/server-cert.pem" certificate wasn't renewed
on my nodes (other certificates were).
How can i renew this certificate too?
on host just copy renewed vdsm key and cert to libvirt-vnc
cp /etc/pki/vdsm/certs/vdsmcert.pem
/etc/pki/vdsm/libvirt-vnc/server-cert.pem
cp /etc/pki/vdsm/keys/vdsmkey.pem /etc/pki/vdsm/libvirt-vnc/server-key.pem
when you update also CA then
cp /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-vnc/ca-cert.pem
Cheers,
Jiri
thanks
csabany
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/L3HRCMX6NMF...
11:42 a.m.
Hi Jiri,
I understand the libvirt-vnc part of this thread but can you explain the following in more
detail please:
"when you update also CA then
cp /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-vnc/ca-cert.pem"
When does /etc/pki/vdsm/certs/cacert.pem get updated (checked mine and it's 2021) if
not by the 'Enroll Certificate' action?
Kind Regards
Simon...
3:56 p.m.
On 5/5/22 10:42, simon(a)justconnect.ie wrote:
Hi Jiri,
I understand the libvirt-vnc part of this thread but can you explain the following in
more detail please:
"when you update also CA then
cp /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-vnc/ca-cert.pem"
sorry, it is probably not necessary.
In my particular case I had expired engine.cer so I have regenerate it
during engine-setup process. Then I enroll certificates on all hosts.
After that I mentioned that migrations to some hosts fails. Qemu log shows
2022-05-02T13:55:05.987598Z qemu-kvm: Our own certificate
/etc/pki/vdsm/libvirt-vnc/server-cert.pem failed validation against
/etc/pki/vdsm/libvirt-vnc/ca-cert.pem: The certificate hasn't got a
known issuer
so I copied key, cert and also cacert.pem to libvirt-vnc which solves my
issue.
When does /etc/pki/vdsm/certs/cacert.pem get updated (checked mine
and it's 2021) if not by the 'Enroll Certificate' action?
I believe cacert could be updated during engine-setup process but I am
not sure about this. In my case CA was not renewed
openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -text
Validity
Not Before: Aug 30 14:45:05 2015 GMT
Not After : Aug 28 14:45:05 2025 GMT
so I have no idea why /etc/pki/vdsm/libvirt-vnc/server-cert.pem cannot
be validated against /etc/pki/vdsm/libvirt-vnc/ca-cert.pem on host.
Copying /etc/pki/vdsm/certs/cacert.pem to
/etc/pki/vdsm/libvirt-vnc/ca-cert.pem solved this issue...
Cheers,
Jiri
Kind Regards
Simon...
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/HVT3KMVESR5...
11:44 a.m.
On Mon, May 2, 2022 at 6:02 PM <csabany(a)freemail.hu> wrote:
Hi,
LAst month a renewed our hosts certificates by the "Enroll certificates"
method.
The "/etc/pki/vdsm/libvirt-vnc/server-cert.pem" certificate wasn't renewed
on my nodes (other certificates were).
How can i renew this certificate too?
thanks
csabany
Actually I think this could be a bug in enrolling certificate job on hosts
from web admin gui.
I'm having the same problem updating from downstream RHV 4.4.10-6 to
4.4.10-7 with RHV-H hosts and the enrolling of certificates takes in
consideration these directories
/etc/pki/libvirt
/etc/pki/vdsm/certs
/etc/pki/vdsm/libvirt-migrate
/etc/pki/vdsm/libvirt-spice
But not:
/etc/pki/vdsm/libvirt-vnc
I think it could impact oVirt too.
In case Red Hat guys want to see logs of my RHV environment, I've opened
the case 03212406 for this problem.
Gianluca
11:59 a.m.
On Fri, May 6, 2022 at 10:44 AM Gianluca Cecchi <gianluca.cecchi(a)gmail.com>
wrote:
On Mon, May 2, 2022 at 6:02 PM <csabany(a)freemail.hu> wrote:
> Hi,
>
> LAst month a renewed our hosts certificates by the "Enroll certificates"
> method.
> The "/etc/pki/vdsm/libvirt-vnc/server-cert.pem" certificate wasn't
> renewed on my nodes (other certificates were).
>
> How can i renew this certificate too?
>
> thanks
> csabany
>
>
Actually I think this could be a bug in enrolling certificate job on hosts
from web admin gui.
I'm having the same problem updating from downstream RHV 4.4.10-6 to
4.4.10-7 with RHV-H hosts and the enrolling of certificates takes in
consideration these directories
/etc/pki/libvirt
/etc/pki/vdsm/certs
/etc/pki/vdsm/libvirt-migrate
/etc/pki/vdsm/libvirt-spice
But not:
/etc/pki/vdsm/libvirt-vnc
I think it could impact oVirt too.
In case Red Hat guys want to see logs of my RHV environment, I've opened
the case 03212406 for this problem.
Gianluca
I forgot to say that the impact in my case is that due to this problem I
can't live migrate VMs between the updated hosts, because the libvirt-vnc
certificate of destination host is now expired...
and in logs of source host I get:
libvirt.libvirtError: internal error: process exited while connecting to
monitor: 2022-05-05T07:31:25.922766Z qemu-kvm: The server certificate
/etc/pki/vdsm/libvirt-vnc/server-cert.pem has expired
Perhaps is due to having graphics protocol: Spice+VNC in VM console
configuration, so both certificates (spice and vnc) are checked before
migration. Not sure
Gianluca
12:39 p.m.
On Fri, May 6, 2022 at 10:59 AM Gianluca Cecchi <gianluca.cecchi(a)gmail.com>
wrote:
On Fri, May 6, 2022 at 10:44 AM Gianluca Cecchi
<gianluca.cecchi(a)gmail.com>
wrote:
> On Mon, May 2, 2022 at 6:02 PM <csabany(a)freemail.hu> wrote:
>
>> Hi,
>>
>> LAst month a renewed our hosts certificates by the "Enroll
certificates"
>> method.
>> The "/etc/pki/vdsm/libvirt-vnc/server-cert.pem" certificate wasn't
>> renewed on my nodes (other certificates were).
>>
>> How can i renew this certificate too?
>>
>> thanks
>> csabany
>>
>>
> Actually I think this could be a bug in enrolling certificate job on
> hosts from web admin gui.
> I'm having the same problem updating from downstream RHV 4.4.10-6 to
> 4.4.10-7 with RHV-H hosts and the enrolling of certificates takes in
> consideration these directories
>
In my Red Hat case confirmed that bug is already opened for this problem:
https://bugzilla.redhat.com/show_bug.cgi?id=2043146
3:21 p.m.
Il giorno ven 6 mag 2022 alle ore 11:40 Gianluca Cecchi <
gianluca.cecchi(a)gmail.com> ha scritto:
On Fri, May 6, 2022 at 10:59 AM Gianluca Cecchi
<gianluca.cecchi(a)gmail.com>
wrote:
> On Fri, May 6, 2022 at 10:44 AM Gianluca Cecchi <
> gianluca.cecchi(a)gmail.com> wrote:
>
>> On Mon, May 2, 2022 at 6:02 PM <csabany(a)freemail.hu> wrote:
>>
>>> Hi,
>>>
>>> LAst month a renewed our hosts certificates by the "Enroll
>>> certificates" method.
>>> The "/etc/pki/vdsm/libvirt-vnc/server-cert.pem" certificate
wasn't
>>> renewed on my nodes (other certificates were).
>>>
>>> How can i renew this certificate too?
>>>
>>> thanks
>>> csabany
>>>
>>>
>> Actually I think this could be a bug in enrolling certificate job on
>> hosts from web admin gui.
>> I'm having the same problem updating from downstream RHV 4.4.10-6 to
>> 4.4.10-7 with RHV-H hosts and the enrolling of certificates takes in
>> consideration these directories
>>
>
>
In my Red Hat case confirmed that bug is already opened for this problem:
https://bugzilla.redhat.com/show_bug.cgi?id=2043146
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/2OV43X2DMAF...
+Milan Zamazal <mzamazal(a)redhat.com> +Yedidyah Bar David
<didi(a)redhat.com> +Martin
Perina <mperina(a)redhat.com> +Michal Skrivanek <mskrivan(a)redhat.com> can
you please have a look?
--
Sandro Bonazzola
MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV
Red Hat EMEA <https://www.redhat.com/>
sbonazzo(a)redhat.com
<https://www.redhat.com/>
*Red Hat respects your work life balance. Therefore there is no need to
answer this email out of your office hours.*
1:18 p.m.
On Fri, May 6, 2022 at 3:22 PM Sandro Bonazzola <sbonazzo(a)redhat.com> wrote:
Il giorno ven 6 mag 2022 alle ore 11:40 Gianluca Cecchi <gianluca.cecchi(a)gmail.com>
ha scritto:
>
> On Fri, May 6, 2022 at 10:59 AM Gianluca Cecchi <gianluca.cecchi(a)gmail.com>
wrote:
>>
>> On Fri, May 6, 2022 at 10:44 AM Gianluca Cecchi <gianluca.cecchi(a)gmail.com>
wrote:
>>>
>>> On Mon, May 2, 2022 at 6:02 PM <csabany(a)freemail.hu> wrote:
>>>>
>>>> Hi,
>>>>
>>>> LAst month a renewed our hosts certificates by the "Enroll
certificates" method.
>>>> The "/etc/pki/vdsm/libvirt-vnc/server-cert.pem" certificate
wasn't renewed on my nodes (other certificates were).
>>>>
>>>> How can i renew this certificate too?
>>>>
>>>> thanks
>>>> csabany
>>>>
>>>
>>> Actually I think this could be a bug in enrolling certificate job on hosts
from web admin gui.
>>> I'm having the same problem updating from downstream RHV 4.4.10-6 to
4.4.10-7 with RHV-H hosts and the enrolling of certificates takes in consideration these
directories
>>
>>
>
> In my Red Hat case confirmed that bug is already opened for this problem:
> https://bugzilla.redhat.com/show_bug.cgi?id=2043146
Seems like this is indeed the issue. Should already be fixed in 4.5.
The bug is on RHV, not oVirt, so is still in VERIFIED - will be closed
once RHV has it. For oVirt, AFAICT, it's already fixed.
If you still run into this issue with current 4.5, please attach
relevant logs to this bug (or create a new one, if you suspect it's
unrelated). Thanks.
Best regards,
--
Didi
929
days inactive
936
days old
8 comments
6 participants
participants (6)
-
csabany@freemail.hu -
Gianluca Cecchi -
Jiří Sléžka -
Sandro Bonazzola -
simon@justconnect.ie -
Yedidyah Bar David