8:32 p.m.
Hi Team,
I'm looking for your help since I didn't find any clear documentation. Is there
somewhere in ovirt website a clear documentation about how to renew the engine
certificates located in /etc/pki/ovirt-engine/certs/
We have an engine GUI not working, showing error message "PKIX path validation
failed: java.security.cert.CertPathValidatorException: validity check failed".
After checking, all the cert in /etc/pki/ovirt-engine/certs/ are expired.
I didn't find a clear documentation on ovirt website, or even on redhat website (it
was always about host but not the engine)
Anyway I've read that the renew process can be done via "engine-setup
--offline", but when I try it, it generates this error:
--== PKI CONFIGURATION ==--
[ ERROR ] Failed to execute stage 'Environment customization': Unable to load
certificate. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for
more details.
and in log file:
File
"/usr/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/backend.py",
line 1371, in load_pem_x509_certificate
"Unable to load certificate. See https://cryptography.io/en/la"
ValueError: Unable to load certificate. See
https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details.
2022-08-29 19:16:29,502+0200 ERROR otopi.context context._executeMethod:154 Failed to
execute stage 'Environment customization': Unable to load certificate. See
https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details.
I've also tried the manual procedure (using
/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh) mentioned in
https://users.ovirt.narkive.com/4ugjgicE/ovirt-regenerating-new-ssl-certi...
(message from Alon Bar-Lev), but the 4th command always says I enter a wrogn apssword, but
it's not.
we are blocked here and we can't use our ovirt cluster, so it's pretty blocking.
Thx a lot in advance
11:22 p.m.
New subject: Ovirt 4.4.7, can't renew certificate of ovirt engine (certificates expired)
Hi,
1) Try to run engine-setup again on oVirt Engine VM, and renew certificates.
2) I had even more nasty problem with zombie node host, which was
completely unmanageable.
Jose from albasoft.com solved this problem, contact hem via e-mail if
necessary.
On 8/29/22 20:32, vk(a)itiviti.com wrote:
Hi Team,
I'm looking for your help since I didn't find any clear documentation. Is there
somewhere in ovirt website a clear documentation about how to renew the engine
certificates located in /etc/pki/ovirt-engine/certs/
We have an engine GUI not working, showing error message "PKIX path validation
failed: java.security.cert.CertPathValidatorException: validity check failed".
After checking, all the cert in /etc/pki/ovirt-engine/certs/ are expired.
I didn't find a clear documentation on ovirt website, or even on redhat website (it
was always about host but not the engine)
Anyway I've read that the renew process can be done via "engine-setup
--offline", but when I try it, it generates this error:
--== PKI CONFIGURATION ==--
[ ERROR ] Failed to execute stage 'Environment customization': Unable to load
certificate. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for
more details.
and in log file:
File
"/usr/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/backend.py",
line 1371, in load_pem_x509_certificate
"Unable to load certificate. See https://cryptography.io/en/la"
ValueError: Unable to load certificate. See
https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details.
2022-08-29 19:16:29,502+0200 ERROR otopi.context context._executeMethod:154 Failed to
execute stage 'Environment customization': Unable to load certificate. See
https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details.
I've also tried the manual procedure (using
/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh) mentioned in
https://users.ovirt.narkive.com/4ugjgicE/ovirt-regenerating-new-ssl-certi...
(message from Alon Bar-Lev), but the 4th command always says I enter a wrogn apssword, but
it's not.
we are blocked here and we can't use our ovirt cluster, so it's pretty blocking.
Thx a lot in advance
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/RYHJ4XJAYCA...
1:06 p.m.
Hi Andrei,
thx a lot for your answer.
I tried several time the engine-setup command but it always ends with same above error.
DO you have the email of Jose?
A colleague renewed the cert manually on the engine whith these commands:
# SUBJECT="$(openssl x509 -subject -noout -in
/etc/pki/ovirt-engine/certs/apache.cer.20220829164912 | sed 's/subject=
//')"
# /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=apache
--password="@PASSWORD@" --subject=/C=US/O=<domain_suffix>/CN=<engine
fqdn>
# openssl pkcs12 -passin "pass:@PASSWORD@" -nokeys -in
/etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/certs/apache.cer
# openssl pkcs12 -passin "pass:@PASSWORD@" -nocerts -nodes -in
/etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/keys/apache.key.nopass
# chmod 0600 /etc/pki/ovirt-engine/keys/apache.key.nopass
# systemctl restart httpd.service ovirt-engine.service
but now, our 2 hosts are unresponsive...
Thx
1:15 p.m.
New subject: Ovirt 4.4.7, can't renew certificate of ovirt engine (certificates expired)
Hi,
Now certificates on engine and hosts don’t match, engine and vdsm services on hosts can’t
handshake.
Here it is:
jlsanz - at - albasoft - dot - com
On 30 Aug 2022, at 13:06, vk(a)itiviti.com wrote:
Hi Andrei,
thx a lot for your answer.
I tried several time the engine-setup command but it always ends with same above error.
DO you have the email of Jose?
A colleague renewed the cert manually on the engine whith these commands:
# SUBJECT="$(openssl x509 -subject -noout -in
/etc/pki/ovirt-engine/certs/apache.cer.20220829164912 | sed 's/subject=
//')"
# /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=apache
--password="@PASSWORD@" --subject=/C=US/O=<domain_suffix>/CN=<engine
fqdn>
# openssl pkcs12 -passin "pass:@PASSWORD@" -nokeys -in
/etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/certs/apache.cer
# openssl pkcs12 -passin "pass:@PASSWORD@" -nocerts -nodes -in
/etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/keys/apache.key.nopass
# chmod 0600 /etc/pki/ovirt-engine/keys/apache.key.nopass
# systemctl restart httpd.service ovirt-engine.service
but now, our 2 hosts are unresponsive...
Thx
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/TOKUA5HCM2S...
814
days inactive
815
days old
3 comments
2 participants
participants (2)
-
Andrei Verovski -
vk@itiviti.com