That error is saying the enrollment script cannot access the
serial.txt
file to generate the new certificate's serial number. That file should
be located at /etc/pki/ovirt-engine/serial.txt Owned by the ovirt user
/ group. (Oddly enough on my system that file is world readable /
writable. Which seems like it should be wrong...)
There may also be backup files of it in that same directory.
If the file doesn't exist at all and there are no backups: You could
try to create a new one by figuring out what the highest serial number
issued by the internal ca is, incrementing it by one, and echoing that
into a new serial.txt file. (Setting permissions as appropriate.)
Although in this case, I'd ask why the file was deleted in the first
place.
-Patrick Hibbs
On Wed, 2022-07-20 at 19:44 +0000, xavierl(a)rogers.com wrote:
> Log:
>
> 2022-07-20 17:50:43 UTC - TASK [ovirt-host-deploy-vdsm-certificates :
> Run PKI enroll request for vdsm and QEMU] ***
> 2022-07-20 17:50:43 UTC -
> 2022-07-20 17:50:43 UTC - {
> "status" : "OK",
> "msg" : "",
> "data" : {
> "uuid" : "67f44c2c-edf2-454b-ab5f-a3a6e3076ddc",
> "counter" : 179,
> "stdout" : "",
> "start_line" : 171,
> "end_line" : 171,
> "runner_ident" : "6b4c5f52-0854-11ed-b044-00163e598f5b",
> "event" : "runner_on_failed",
> "pid" : 32040,
> "created" : "2022-07-20T17:50:43.065710",
> "parent_uuid" : "00163e59-8f5b-ba87-8722-0000000002a4",
> "event_data" : {
> "playbook" : "ovirt-host-deploy.yml",
> "playbook_uuid" : "4f7a6915-ae99-445b-ac02-ba66bbd1aa57",
> "play" : "all",
> "play_uuid" : "00163e59-8f5b-ba87-8722-000000000008",
> "play_pattern" : "all",
> "task" : "Run PKI enroll request for vdsm and QEMU",
> "task_uuid" : "00163e59-8f5b-ba87-8722-0000000002a4",
> "task_action" : "command",
> "task_args" : "",
> "task_path" : "/usr/share/ovirt-engine/ansible-runner-service-
> project/project/roles/ovirt-host-deploy-vdsm-
> certificates/tasks/main.yml:38",
> "role" : "ovirt-host-deploy-vdsm-certificates",
> "host" : "xnet-node-02.xnet.local",
> "remote_addr" : "xnet-node-02.xnet.local",
> "res" : {
> "results" : [ {
> "msg" : "non-zero return code",
> "cmd" : [ "/usr/share/ovirt-engine/bin/pki-enroll-
> request.sh", "--name=xnet-node-02.xnet.local", "--
> subject=/O=xnet.local/CN=xnet-node-02.xnet.local", "--san=DNS:xnet-
> node-02.xnet.local", "--days=398", "--timeout=30",
"--ca-file=ca", "-
> -cert-dir=certs", "--req-dir=requests" ],
> "stdout" : "",
> "stderr" : "Using configuration from openssl.conf\nunable
> to load number from serial.txt\nerror while loading serial
> number\n140364123252544:error:0D066096:asn1 encoding
> routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:\nCannot
> sign certificate",
> "rc" : 1,
> "start" : "2022-07-20 17:50:42.811555",
> "end" : "2022-07-20 17:50:42.840405",
> "delta" : "0:00:00.028850",
> "changed" : true,
> "failed" : true,
> "invocation" : {
> "module_args" : {
> "_raw_params" :
"\"/usr/share/ovirt-engine/bin/pki-
> enroll-request.sh\"\n\"--name=xnet-node-02.xnet.local\"\n\"--
> subject=/O=xnet.local/CN=xnet-node-02.xnet.local\"\n\"--san=DNS:xnet-
>
node-02.xnet.local\"\n\"--days=398\"\n\"--timeout=30\"\n\"--ca-
>
file=ca\"\n\"--cert-dir=certs\"\n\"--req-dir=requests\"\n",
> "warn" : true,
> "_uses_shell" : false,
> "stdin_add_newline" : true,
> "strip_empty_ends" : true,
> "argv" : null,
> "chdir" : null,
> "executable" : null,
> "creates" : null,
> "removes" : null,
> "stdin" : null
> }
> },
> "stdout_lines" : [ ],
> "stderr_lines" : [ "Using configuration from
openssl.conf",
> "unable to load number from serial.txt", "error while loading serial
> number", "140364123252544:error:0D066096:asn1 encoding
> routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:",
> "Cannot sign certificate" ],
> "_ansible_no_log" : false,
> "item" : {
> "ou" : "",
> "ca_file" : "ca",
> "cert_dir" : "certs",
> "req_dir" : "requests"
> },
> "ansible_loop_var" : "item",
> "_ansible_item_label" : {
> "ou" : "",
> "ca_file" : "ca",
> "cert_dir" : "certs",
> "req_dir" : "requests"
> }
> }, {
> "msg" : "non-zero return code",
> "cmd" : [ "/usr/share/ovirt-engine/bin/pki-enroll-
> request.sh", "--name=xnet-node-02.xnet.local", "--
> subject=/O=xnet.local/CN=xnet-node-02.xnet.local/OU=qemu", "--
> san=DNS:xnet-node-02.xnet.local", "--days=398",
"--timeout=30", "--
> ca-file=qemu-ca", "--cert-dir=certs-qemu",
"--req-dir=requests-qemu"
> ],
> "stdout" : "",
> "stderr" : "Using configuration from openssl.conf\nunable
> to load number from serial.txt\nerror while loading serial
> number\n140005905663808:error:0D066096:asn1 encoding
> routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:\nCannot
> sign certificate",
> "rc" : 1,
> "start" : "2022-07-20 17:50:43.015979",
> "end" : "2022-07-20 17:50:43.043930",
> "delta" : "0:00:00.027951",
> "changed" : true,
> "failed" : true,
> "invocation" : {
> "module_args" : {
> "_raw_params" :
"\"/usr/share/ovirt-engine/bin/pki-
> enroll-request.sh\"\n\"--name=xnet-node-02.xnet.local\"\n\"--
> subject=/O=xnet.local/CN=xnet-node-02.xnet.local/OU=qemu\"\n\"--
> san=DNS:xnet-node-02.xnet.local\"\n\"--days=398\"\n\"--
>
timeout=30\"\n\"--ca-file=qemu-ca\"\n\"--cert-dir=certs-qemu\"\n\"--
> req-dir=requests-qemu\"\n",
> "warn" : true,
> "_uses_shell" : false,
> "stdin_add_newline" : true,
> "strip_empty_ends" : true,
> "argv" : null,
> "chdir" : null,
> "executable" : null,
> "creates" : null,
> "removes" : null,
> "stdin" : null
> }
> },
> "stdout_lines" : [ ],
> "stderr_lines" : [ "Using configuration from
openssl.conf",
> "unable to load number from serial.txt", "error while loading serial
> number", "140005905663808:error:0D066096:asn1 encoding
> routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:",
> "Cannot sign certificate" ],
> "_ansible_no_log" : false,
> "item" : {
> "ou" : "/OU=qemu",
> "ca_file" : "qemu-ca",
> "cert_dir" : "certs-qemu",
> "req_dir" : "requests-qemu"
> },
> "ansible_loop_var" : "item",
> "_ansible_item_label" : {
> "ou" : "/OU=qemu",
> "ca_file" : "qemu-ca",
> "cert_dir" : "certs-qemu",
> "req_dir" : "requests-qemu"
> }
> } ],
> "changed" : true,
> "msg" : "All items completed"
> },
> "start" : "2022-07-20T17:50:42.639821",
> "end" : "2022-07-20T17:50:43.065519",
> "duration" : 0.425698,
> "ignore_errors" : null,
> "event_loop" : "items",
> "uuid" : "67f44c2c-edf2-454b-ab5f-a3a6e3076ddc"
> }
> }
> }
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement:
https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
>
https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/AWB77BK4CLJ...
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement:
https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/7SUDHL5ULD3...