Certificates expired...
We're moving to a new facility and pretty much building the infrastructure out from scratch. As such, the oVirt 4.4 cluster at our old location has floated under notice because it has just worked for years. In July it seems some of the certs expired (specifically the engine apache cert) and we just noticed it. I followed a post for changing the apache cert and that allowed us to login to the engine web interface, but nothing in the interface showed as connected. VMs are still running, I even rebooted one via ssh before realizing the certificate issues. In "Events" in the engine, it was complaining about certs being expired on the hosts. I found this post to this mailing list and followed the instructions possibly in error: https://lists.ovirt.org/archives/list/users@ovirt.org/thread/NHJNETOIMSHDXMQ... Now the engine won't start at all and I'm afraid I'm one power outage away from complete disaster. I need to keep the old location up and functioning for another 4-6 months, so any insights would be greatly appreciated. Sincerely, Jason P. Thomas
Now the engine won't start at all and I'm afraid I'm one power outage away from complete disaster. I need to keep the old location up and functioning for another 4-6 months, so any insights would be greatly appreciated. Hi,
'engine won't start at all' can mean two things: 1) OS can't boot and thus you can't do SSH. Assuming that we are talking self-hosted engine, then you need to use command like below on host that runs ovengine VM (virsh -c qemu:///system?authfile=/etc/ovirt-hosted-engine/virsh_auth.conf list and hosted-engine --vm-status might be helpful, VM should at least start to boot in order for you to achieve connectivity via console): hosted-engine --add-console-password --password=somepassword and then connect via VNC to IP that you will see in output and password that you used 2) ovirt-engine service can't start In that case it is likely that you will find reason of that in journalctl -u ovirt-engine --no-pager (/var/log/ovirt-engine/engine.log) BR, Konstantin
Konstantin, Right after I sent the email I got the engine running. The libvirt-spice certs had incorrect ownership. It still is not connecting to anything. Error in Events on the Engine is now: "VDSM <hostname.fqdn> command Get Host Capabilities failed: General SSLEngine problem" So status right now is, all VMs are running. Engine web ui is accessible. Engine shows all hosts as unassigned or Connecting or NonResponsive with repeated entries of the above error in Events. Sincerely, Jason On 8/4/23 13:08, konstantin.volenbovskyi--- via Users wrote:
Now the engine won't start at all and I'm afraid I'm one power outage away from complete disaster. I need to keep the old location up and functioning for another 4-6 months, so any insights would be greatly appreciated. Hi,
'engine won't start at all' can mean two things:
1) OS can't boot and thus you can't do SSH. Assuming that we are talking self-hosted engine, then you need to use command like below on host that runs ovengine VM (virsh -c qemu:///system?authfile=/etc/ovirt-hosted-engine/virsh_auth.conf list and hosted-engine --vm-status might be helpful, VM should at least start to boot in order for you to achieve connectivity via console): hosted-engine --add-console-password --password=somepassword and then connect via VNC to IP that you will see in output and password that you used
2) ovirt-engine service can't start In that case it is likely that you will find reason of that in journalctl -u ovirt-engine --no-pager (/var/log/ovirt-engine/engine.log)
BR, Konstantin _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PL4Q64G6IFUUW5...
Sounds like the Host Certs need to be updated.. Or possibly even the Engine CA Cert. -derek On Fri, August 4, 2023 1:45 pm, Jason P. Thomas wrote:
Konstantin, Right after I sent the email I got the engine running. The libvirt-spice certs had incorrect ownership. It still is not connecting to anything. Error in Events on the Engine is now: "VDSM <hostname.fqdn> command Get Host Capabilities failed: General SSLEngine problem"
So status right now is, all VMs are running. Engine web ui is accessible. Engine shows all hosts as unassigned or Connecting or NonResponsive with repeated entries of the above error in Events.
Sincerely, Jason
On 8/4/23 13:08, konstantin.volenbovskyi--- via Users wrote:
Now the engine won't start at all and I'm afraid I'm one power outage away from complete disaster. I need to keep the old location up and functioning for another 4-6 months, so any insights would be greatly appreciated. Hi,
'engine won't start at all' can mean two things:
1) OS can't boot and thus you can't do SSH. Assuming that we are talking self-hosted engine, then you need to use command like below on host that runs ovengine VM (virsh -c qemu:///system?authfile=/etc/ovirt-hosted-engine/virsh_auth.conf list and hosted-engine --vm-status might be helpful, VM should at least start to boot in order for you to achieve connectivity via console): hosted-engine --add-console-password --password=somepassword and then connect via VNC to IP that you will see in output and password that you used
2) ovirt-engine service can't start In that case it is likely that you will find reason of that in journalctl -u ovirt-engine --no-pager (/var/log/ovirt-engine/engine.log)
BR, Konstantin _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PL4Q64G6IFUUW5...
Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/H3M4O4TN67NZZP...
-- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant
I updated the VDSM certs on the hosts and the apache cert on the engine. I'm guessing something is wrong with however the engine interacts with vdsm, I just don't know exactly what to do about it. Jason On 8/4/23 14:00, Derek Atkins wrote:
Sounds like the Host Certs need to be updated.. Or possibly even the Engine CA Cert.
-derek
On Fri, August 4, 2023 1:45 pm, Jason P. Thomas wrote:
Konstantin, Right after I sent the email I got the engine running. The libvirt-spice certs had incorrect ownership. It still is not connecting to anything. Error in Events on the Engine is now: "VDSM <hostname.fqdn> command Get Host Capabilities failed: General SSLEngine problem"
So status right now is, all VMs are running. Engine web ui is accessible. Engine shows all hosts as unassigned or Connecting or NonResponsive with repeated entries of the above error in Events.
Sincerely, Jason
On 8/4/23 13:08, konstantin.volenbovskyi--- via Users wrote:
Now the engine won't start at all and I'm afraid I'm one power outage away from complete disaster. I need to keep the old location up and functioning for another 4-6 months, so any insights would be greatly appreciated. Hi,
'engine won't start at all' can mean two things:
1) OS can't boot and thus you can't do SSH. Assuming that we are talking self-hosted engine, then you need to use command like below on host that runs ovengine VM (virsh -c qemu:///system?authfile=/etc/ovirt-hosted-engine/virsh_auth.conf list and hosted-engine --vm-status might be helpful, VM should at least start to boot in order for you to achieve connectivity via console): hosted-engine --add-console-password --password=somepassword and then connect via VNC to IP that you will see in output and password that you used
2) ovirt-engine service can't start In that case it is likely that you will find reason of that in journalctl -u ovirt-engine --no-pager (/var/log/ovirt-engine/engine.log)
BR, Konstantin _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PL4Q64G6IFUUW5...
Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/H3M4O4TN67NZZP...
Did you restart vdsm after updating the certs? -derek On Fri, August 4, 2023 2:12 pm, Jason P. Thomas wrote:
I updated the VDSM certs on the hosts and the apache cert on the engine. I'm guessing something is wrong with however the engine interacts with vdsm, I just don't know exactly what to do about it.
Jason
On 8/4/23 14:00, Derek Atkins wrote:
Sounds like the Host Certs need to be updated.. Or possibly even the Engine CA Cert.
-derek
On Fri, August 4, 2023 1:45 pm, Jason P. Thomas wrote:
Konstantin, Right after I sent the email I got the engine running. The libvirt-spice certs had incorrect ownership. It still is not connecting to anything. Error in Events on the Engine is now: "VDSM <hostname.fqdn> command Get Host Capabilities failed: General SSLEngine problem"
So status right now is, all VMs are running. Engine web ui is accessible. Engine shows all hosts as unassigned or Connecting or NonResponsive with repeated entries of the above error in Events.
Sincerely, Jason
On 8/4/23 13:08, konstantin.volenbovskyi--- via Users wrote:
Now the engine won't start at all and I'm afraid I'm one power outage away from complete disaster. I need to keep the old location up and functioning for another 4-6 months, so any insights would be greatly appreciated. Hi,
'engine won't start at all' can mean two things:
1) OS can't boot and thus you can't do SSH. Assuming that we are talking self-hosted engine, then you need to use command like below on host that runs ovengine VM (virsh -c qemu:///system?authfile=/etc/ovirt-hosted-engine/virsh_auth.conf list and hosted-engine --vm-status might be helpful, VM should at least start to boot in order for you to achieve connectivity via console): hosted-engine --add-console-password --password=somepassword and then connect via VNC to IP that you will see in output and password that you used
2) ovirt-engine service can't start In that case it is likely that you will find reason of that in journalctl -u ovirt-engine --no-pager (/var/log/ovirt-engine/engine.log)
BR, Konstantin _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PL4Q64G6IFUUW5...
Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/H3M4O4TN67NZZP...
-- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant
I restarted vdsmd and libvirtd after the cert update on each host. Jason On 8/4/23 14:34, Derek Atkins wrote:
Did you restart vdsm after updating the certs? -derek
On Fri, August 4, 2023 2:12 pm, Jason P. Thomas wrote:
I updated the VDSM certs on the hosts and the apache cert on the engine. I'm guessing something is wrong with however the engine interacts with vdsm, I just don't know exactly what to do about it.
Jason
On 8/4/23 14:00, Derek Atkins wrote:
Sounds like the Host Certs need to be updated.. Or possibly even the Engine CA Cert.
-derek
On Fri, August 4, 2023 1:45 pm, Jason P. Thomas wrote:
Konstantin, Right after I sent the email I got the engine running. The libvirt-spice certs had incorrect ownership. It still is not connecting to anything. Error in Events on the Engine is now: "VDSM <hostname.fqdn> command Get Host Capabilities failed: General SSLEngine problem"
So status right now is, all VMs are running. Engine web ui is accessible. Engine shows all hosts as unassigned or Connecting or NonResponsive with repeated entries of the above error in Events.
Sincerely, Jason
On 8/4/23 13:08, konstantin.volenbovskyi--- via Users wrote:
Now the engine won't start at all and I'm afraid I'm one power outage away from complete disaster. I need to keep the old location up and functioning for another 4-6 months, so any insights would be greatly appreciated. Hi,
'engine won't start at all' can mean two things:
1) OS can't boot and thus you can't do SSH. Assuming that we are talking self-hosted engine, then you need to use command like below on host that runs ovengine VM (virsh -c qemu:///system?authfile=/etc/ovirt-hosted-engine/virsh_auth.conf list and hosted-engine --vm-status might be helpful, VM should at least start to boot in order for you to achieve connectivity via console): hosted-engine --add-console-password --password=somepassword and then connect via VNC to IP that you will see in output and password that you used
2) ovirt-engine service can't start In that case it is likely that you will find reason of that in journalctl -u ovirt-engine --no-pager (/var/log/ovirt-engine/engine.log)
BR, Konstantin _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PL4Q64G6IFUUW5...
Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/H3M4O4TN67NZZP...
Is a change in /etc/pki/vdsm/cert/cacert.pem on the nodes going to disrupt the communications between nodes and the engine? The procedure I followed blew away all of /etc/pki/vdsm on each node. I saved the old one. Jason On 8/4/23 14:38, Jason P. Thomas wrote:
I restarted vdsmd and libvirtd after the cert update on each host.
Jason
On 8/4/23 14:34, Derek Atkins wrote:
Did you restart vdsm after updating the certs? -derek
On Fri, August 4, 2023 2:12 pm, Jason P. Thomas wrote:
I updated the VDSM certs on the hosts and the apache cert on the engine. I'm guessing something is wrong with however the engine interacts with vdsm, I just don't know exactly what to do about it.
Jason
On 8/4/23 14:00, Derek Atkins wrote:
Sounds like the Host Certs need to be updated.. Or possibly even the Engine CA Cert.
-derek
On Fri, August 4, 2023 1:45 pm, Jason P. Thomas wrote:
Konstantin, Right after I sent the email I got the engine running. The libvirt-spice certs had incorrect ownership. It still is not connecting to anything. Error in Events on the Engine is now: "VDSM <hostname.fqdn> command Get Host Capabilities failed: General SSLEngine problem"
So status right now is, all VMs are running. Engine web ui is accessible. Engine shows all hosts as unassigned or Connecting or NonResponsive with repeated entries of the above error in Events.
Sincerely, Jason
On 8/4/23 13:08, konstantin.volenbovskyi--- via Users wrote:
> Now the engine won't start at all and I'm afraid I'm one power > outage > away from complete disaster. I need to keep the old location up > and > functioning for another 4-6 months, so any insights would be > greatly > appreciated. Hi,
'engine won't start at all' can mean two things:
1) OS can't boot and thus you can't do SSH. Assuming that we are talking self-hosted engine, then you need to use command like below on host that runs ovengine VM (virsh -c qemu:///system?authfile=/etc/ovirt-hosted-engine/virsh_auth.conf list and hosted-engine --vm-status might be helpful, VM should at least start to boot in order for you to achieve connectivity via console): hosted-engine --add-console-password --password=somepassword and then connect via VNC to IP that you will see in output and password that you used
2) ovirt-engine service can't start In that case it is likely that you will find reason of that in journalctl -u ovirt-engine --no-pager (/var/log/ovirt-engine/engine.log)
BR, Konstantin _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PL4Q64G6IFUUW5...
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/H3M4O4TN67NZZP...
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/L3HNNMVKBOSHVM...
Is a change in /etc/pki/vdsm/cert/cacert.pem on the nodes going to disrupt the communications between nodes and the engine? The procedure I followed blew away all of /etc/pki/vdsm on each node. I saved the old one. Jason On 8/4/23 14:38, Jason P. Thomas wrote:
I restarted vdsmd and libvirtd after the cert update on each host.
Jason
On 8/4/23 14:34, Derek Atkins wrote:
Did you restart vdsm after updating the certs? -derek
On Fri, August 4, 2023 2:12 pm, Jason P. Thomas wrote:
I updated the VDSM certs on the hosts and the apache cert on the engine. I'm guessing something is wrong with however the engine interacts with vdsm, I just don't know exactly what to do about it.
Jason
On 8/4/23 14:00, Derek Atkins wrote:
Sounds like the Host Certs need to be updated.. Or possibly even the Engine CA Cert.
-derek
On Fri, August 4, 2023 1:45 pm, Jason P. Thomas wrote:
Konstantin, Right after I sent the email I got the engine running. The libvirt-spice certs had incorrect ownership. It still is not connecting to anything. Error in Events on the Engine is now: "VDSM <hostname.fqdn> command Get Host Capabilities failed: General SSLEngine problem"
So status right now is, all VMs are running. Engine web ui is accessible. Engine shows all hosts as unassigned or Connecting or NonResponsive with repeated entries of the above error in Events.
Sincerely, Jason
On 8/4/23 13:08, konstantin.volenbovskyi--- via Users wrote:
> Now the engine won't start at all and I'm afraid I'm one power > outage > away from complete disaster. I need to keep the old location up > and > functioning for another 4-6 months, so any insights would be > greatly > appreciated. Hi,
'engine won't start at all' can mean two things:
1) OS can't boot and thus you can't do SSH. Assuming that we are talking self-hosted engine, then you need to use command like below on host that runs ovengine VM (virsh -c qemu:///system?authfile=/etc/ovirt-hosted-engine/virsh_auth.conf list and hosted-engine --vm-status might be helpful, VM should at least start to boot in order for you to achieve connectivity via console): hosted-engine --add-console-password --password=somepassword and then connect via VNC to IP that you will see in output and password that you used
2) ovirt-engine service can't start In that case it is likely that you will find reason of that in journalctl -u ovirt-engine --no-pager (/var/log/ovirt-engine/engine.log)
BR, Konstantin _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PL4Q64G6IFUUW5...
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/H3M4O4TN67NZZP...
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/L3HNNMVKBOSHVM...
Hi, I went through a similar ordeal half a year ago and forgot all the exact procedures already but for me, in the end after following all the guides and replacing the "standard" certs it was either engine.p12 or apache.p12 keystore that also had outdated certs (apparently mTLS is being used!). Updating these keystores is not documented anywhere. No idea if you are in the same situation but wanted to throw this out there. Best regards, cen On 4. 08. 23 20:12, Jason P. Thomas wrote:
I updated the VDSM certs on the hosts and the apache cert on the engine. I'm guessing something is wrong with however the engine interacts with vdsm, I just don't know exactly what to do about it.
Jason
On 8/4/23 14:00, Derek Atkins wrote:
Sounds like the Host Certs need to be updated.. Or possibly even the Engine CA Cert.
-derek
On Fri, August 4, 2023 1:45 pm, Jason P. Thomas wrote:
Konstantin, Right after I sent the email I got the engine running. The libvirt-spice certs had incorrect ownership. It still is not connecting to anything. Error in Events on the Engine is now: "VDSM <hostname.fqdn> command Get Host Capabilities failed: General SSLEngine problem"
So status right now is, all VMs are running. Engine web ui is accessible. Engine shows all hosts as unassigned or Connecting or NonResponsive with repeated entries of the above error in Events.
Sincerely, Jason
On 8/4/23 13:08, konstantin.volenbovskyi--- via Users wrote:
Now the engine won't start at all and I'm afraid I'm one power outage away from complete disaster. I need to keep the old location up and functioning for another 4-6 months, so any insights would be greatly appreciated. Hi,
'engine won't start at all' can mean two things:
1) OS can't boot and thus you can't do SSH. Assuming that we are talking self-hosted engine, then you need to use command like below on host that runs ovengine VM (virsh -c qemu:///system?authfile=/etc/ovirt-hosted-engine/virsh_auth.conf list and hosted-engine --vm-status might be helpful, VM should at least start to boot in order for you to achieve connectivity via console): hosted-engine --add-console-password --password=somepassword and then connect via VNC to IP that you will see in output and password that you used
2) ovirt-engine service can't start In that case it is likely that you will find reason of that in journalctl -u ovirt-engine --no-pager (/var/log/ovirt-engine/engine.log)
BR, Konstantin _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PL4Q64G6IFUUW5...
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/H3M4O4TN67NZZP...
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/3GFW2SRSZB5QHN...
cen, apache.p12 was the first snowflake in this avalanche. I did find something showing how to generate a new one and install it. That actually allowed me to access the engine web interface again. Kinda useless since the engine can't talk to any of the nodes though. Haha. Thanks for the info. I'll look into the engine.p12 between sessions of updating my resume. Haha Thanks, Jason On 8/8/23 17:30, cen wrote:
Hi,
I went through a similar ordeal half a year ago and forgot all the exact procedures already but for me, in the end after following all the guides and replacing the "standard" certs
it was either engine.p12 or apache.p12 keystore that also had outdated certs (apparently mTLS is being used!).
Updating these keystores is not documented anywhere. No idea if you are in the same situation but wanted to throw this out there.
Best regards, cen
On 4. 08. 23 20:12, Jason P. Thomas wrote:
I updated the VDSM certs on the hosts and the apache cert on the engine. I'm guessing something is wrong with however the engine interacts with vdsm, I just don't know exactly what to do about it.
Jason
On 8/4/23 14:00, Derek Atkins wrote:
Sounds like the Host Certs need to be updated.. Or possibly even the Engine CA Cert.
-derek
On Fri, August 4, 2023 1:45 pm, Jason P. Thomas wrote:
Konstantin, Right after I sent the email I got the engine running. The libvirt-spice certs had incorrect ownership. It still is not connecting to anything. Error in Events on the Engine is now: "VDSM <hostname.fqdn> command Get Host Capabilities failed: General SSLEngine problem"
So status right now is, all VMs are running. Engine web ui is accessible. Engine shows all hosts as unassigned or Connecting or NonResponsive with repeated entries of the above error in Events.
Sincerely, Jason
On 8/4/23 13:08, konstantin.volenbovskyi--- via Users wrote:
Now the engine won't start at all and I'm afraid I'm one power outage away from complete disaster. I need to keep the old location up and functioning for another 4-6 months, so any insights would be greatly appreciated. Hi,
'engine won't start at all' can mean two things:
1) OS can't boot and thus you can't do SSH. Assuming that we are talking self-hosted engine, then you need to use command like below on host that runs ovengine VM (virsh -c qemu:///system?authfile=/etc/ovirt-hosted-engine/virsh_auth.conf list and hosted-engine --vm-status might be helpful, VM should at least start to boot in order for you to achieve connectivity via console): hosted-engine --add-console-password --password=somepassword and then connect via VNC to IP that you will see in output and password that you used
2) ovirt-engine service can't start In that case it is likely that you will find reason of that in journalctl -u ovirt-engine --no-pager (/var/log/ovirt-engine/engine.log)
BR, Konstantin _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PL4Q64G6IFUUW5...
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/H3M4O4TN67NZZP...
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/3GFW2SRSZB5QHN...
Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/AMVZEWY45QHPED...
cen, apache.p12 was the first snowflake in this avalanche. I did find something showing how to generate a new one and install it. That actually allowed me to access the engine web interface again. Kinda useless since the engine can't talk to any of the nodes though. Haha. Thanks for the info. I'll look into the engine.p12 between sessions of updating my resume. Haha Thanks, Jason On 8/8/23 17:30, cen wrote:
Hi,
I went through a similar ordeal half a year ago and forgot all the exact procedures already but for me, in the end after following all the guides and replacing the "standard" certs
it was either engine.p12 or apache.p12 keystore that also had outdated certs (apparently mTLS is being used!).
Updating these keystores is not documented anywhere. No idea if you are in the same situation but wanted to throw this out there.
Best regards, cen
On 4. 08. 23 20:12, Jason P. Thomas wrote:
I updated the VDSM certs on the hosts and the apache cert on the engine. I'm guessing something is wrong with however the engine interacts with vdsm, I just don't know exactly what to do about it.
Jason
On 8/4/23 14:00, Derek Atkins wrote:
Sounds like the Host Certs need to be updated.. Or possibly even the Engine CA Cert.
-derek
On Fri, August 4, 2023 1:45 pm, Jason P. Thomas wrote:
Konstantin, Right after I sent the email I got the engine running. The libvirt-spice certs had incorrect ownership. It still is not connecting to anything. Error in Events on the Engine is now: "VDSM <hostname.fqdn> command Get Host Capabilities failed: General SSLEngine problem"
So status right now is, all VMs are running. Engine web ui is accessible. Engine shows all hosts as unassigned or Connecting or NonResponsive with repeated entries of the above error in Events.
Sincerely, Jason
On 8/4/23 13:08, konstantin.volenbovskyi--- via Users wrote:
Now the engine won't start at all and I'm afraid I'm one power outage away from complete disaster. I need to keep the old location up and functioning for another 4-6 months, so any insights would be greatly appreciated. Hi,
'engine won't start at all' can mean two things:
1) OS can't boot and thus you can't do SSH. Assuming that we are talking self-hosted engine, then you need to use command like below on host that runs ovengine VM (virsh -c qemu:///system?authfile=/etc/ovirt-hosted-engine/virsh_auth.conf list and hosted-engine --vm-status might be helpful, VM should at least start to boot in order for you to achieve connectivity via console): hosted-engine --add-console-password --password=somepassword and then connect via VNC to IP that you will see in output and password that you used
2) ovirt-engine service can't start In that case it is likely that you will find reason of that in journalctl -u ovirt-engine --no-pager (/var/log/ovirt-engine/engine.log)
BR, Konstantin _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PL4Q64G6IFUUW5...
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/H3M4O4TN67NZZP...
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/3GFW2SRSZB5QHN...
Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/AMVZEWY45QHPED...
participants (5)
-
cen -
Derek Atkins -
Jason P. Thomas -
Jason P. Thomas -
konstantin.volenbovskyi@haufe.com