Ovirt 4.4.7, can't renew certificate of ovirt engine (certificates expired)
Hi Team, I'm looking for your help since I didn't find any clear documentation. Is there somewhere in ovirt website a clear documentation about how to renew the engine certificates located in /etc/pki/ovirt-engine/certs/ We have an engine GUI not working, showing error message "PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed". After checking, all the cert in /etc/pki/ovirt-engine/certs/ are expired. I didn't find a clear documentation on ovirt website, or even on redhat website (it was always about host but not the engine) Anyway I've read that the renew process can be done via "engine-setup --offline", but when I try it, it generates this error: --== PKI CONFIGURATION ==-- [ ERROR ] Failed to execute stage 'Environment customization': Unable to load certificate. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details. and in log file: File "/usr/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1371, in load_pem_x509_certificate "Unable to load certificate. See https://cryptography.io/en/la" ValueError: Unable to load certificate. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details. 2022-08-29 19:16:29,502+0200 ERROR otopi.context context._executeMethod:154 Failed to execute stage 'Environment customization': Unable to load certificate. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details. I've also tried the manual procedure (using /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh) mentioned in https://users.ovirt.narkive.com/4ugjgicE/ovirt-regenerating-new-ssl-certific... (message from Alon Bar-Lev), but the 4th command always says I enter a wrogn apssword, but it's not. we are blocked here and we can't use our ovirt cluster, so it's pretty blocking. Thx a lot in advance
Hi, 1) Try to run engine-setup again on oVirt Engine VM, and renew certificates. 2) I had even more nasty problem with zombie node host, which was completely unmanageable. Jose from albasoft.com solved this problem, contact hem via e-mail if necessary. On 8/29/22 20:32, vk@itiviti.com wrote:
Hi Team,
I'm looking for your help since I didn't find any clear documentation. Is there somewhere in ovirt website a clear documentation about how to renew the engine certificates located in /etc/pki/ovirt-engine/certs/
We have an engine GUI not working, showing error message "PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed".
After checking, all the cert in /etc/pki/ovirt-engine/certs/ are expired.
I didn't find a clear documentation on ovirt website, or even on redhat website (it was always about host but not the engine)
Anyway I've read that the renew process can be done via "engine-setup --offline", but when I try it, it generates this error:
--== PKI CONFIGURATION ==--
[ ERROR ] Failed to execute stage 'Environment customization': Unable to load certificate. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details.
and in log file:
File "/usr/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1371, in load_pem_x509_certificate "Unable to load certificate. See https://cryptography.io/en/la" ValueError: Unable to load certificate. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details. 2022-08-29 19:16:29,502+0200 ERROR otopi.context context._executeMethod:154 Failed to execute stage 'Environment customization': Unable to load certificate. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details.
I've also tried the manual procedure (using /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh) mentioned in https://users.ovirt.narkive.com/4ugjgicE/ovirt-regenerating-new-ssl-certific... (message from Alon Bar-Lev), but the 4th command always says I enter a wrogn apssword, but it's not.
we are blocked here and we can't use our ovirt cluster, so it's pretty blocking.
Thx a lot in advance _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/RYHJ4XJAYCAN3K...
Hi Andrei, thx a lot for your answer. I tried several time the engine-setup command but it always ends with same above error. DO you have the email of Jose? A colleague renewed the cert manually on the engine whith these commands: # SUBJECT="$(openssl x509 -subject -noout -in /etc/pki/ovirt-engine/certs/apache.cer.20220829164912 | sed 's/subject= //')" # /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=apache --password="@PASSWORD@" --subject=/C=US/O=<domain_suffix>/CN=<engine fqdn> # openssl pkcs12 -passin "pass:@PASSWORD@" -nokeys -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/certs/apache.cer # openssl pkcs12 -passin "pass:@PASSWORD@" -nocerts -nodes -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/keys/apache.key.nopass # chmod 0600 /etc/pki/ovirt-engine/keys/apache.key.nopass # systemctl restart httpd.service ovirt-engine.service but now, our 2 hosts are unresponsive... Thx
Hi, Now certificates on engine and hosts don’t match, engine and vdsm services on hosts can’t handshake. Here it is: jlsanz - at - albasoft - dot - com
On 30 Aug 2022, at 13:06, vk@itiviti.com wrote:
Hi Andrei,
thx a lot for your answer.
I tried several time the engine-setup command but it always ends with same above error.
DO you have the email of Jose?
A colleague renewed the cert manually on the engine whith these commands:
# SUBJECT="$(openssl x509 -subject -noout -in /etc/pki/ovirt-engine/certs/apache.cer.20220829164912 | sed 's/subject= //')" # /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=apache --password="@PASSWORD@" --subject=/C=US/O=<domain_suffix>/CN=<engine fqdn> # openssl pkcs12 -passin "pass:@PASSWORD@" -nokeys -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/certs/apache.cer # openssl pkcs12 -passin "pass:@PASSWORD@" -nocerts -nodes -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/keys/apache.key.nopass # chmod 0600 /etc/pki/ovirt-engine/keys/apache.key.nopass # systemctl restart httpd.service ovirt-engine.service
but now, our 2 hosts are unresponsive...
Thx _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/TOKUA5HCM2SSDS...
participants (2)
-
Andrei Verovski -
vk@itiviti.com