That error is saying the enrollment script cannot access the serial.txt file to generate the new certificate's serial number. That file should be located at /etc/pki/ovirt-engine/serial.txt Owned by the ovirt user / group. (Oddly enough on my system that file is world readable / writable. Which seems like it should be wrong...)

There may also be backup files of it in that same directory. If the file doesn't exist at all and there are no backups: You could try to create a new one by figuring out what the highest serial number issued by the internal ca is, incrementing it by one, and echoing that into a new serial.txt file. (Setting permissions as appropriate.) Although in this case, I'd ask why the file was deleted in the first place.

-Patrick Hibbs On Wed, 2022-07-20 at 19:44 +0000, xavierl(a)rogers.com wrote: > Log: > > 2022-07-20 17:50:43 UTC - TASK [ovirt-host-deploy-vdsm-certificates : > Run PKI enroll request for vdsm and QEMU] *** > 2022-07-20 17:50:43 UTC - > 2022-07-20 17:50:43 UTC - { >   "status" : "OK", >   "msg" : "", >   "data" : { >     "uuid" : "67f44c2c-edf2-454b-ab5f-a3a6e3076ddc", >     "counter" : 179, >     "stdout" : "", >     "start_line" : 171, >     "end_line" : 171, >     "runner_ident" : "6b4c5f52-0854-11ed-b044-00163e598f5b", >     "event" : "runner_on_failed", >     "pid" : 32040, >     "created" : "2022-07-20T17:50:43.065710", >     "parent_uuid" : "00163e59-8f5b-ba87-8722-0000000002a4", >     "event_data" : { >       "playbook" : "ovirt-host-deploy.yml", >       "playbook_uuid" : "4f7a6915-ae99-445b-ac02-ba66bbd1aa57", >       "play" : "all", >       "play_uuid" : "00163e59-8f5b-ba87-8722-000000000008", >       "play_pattern" : "all", >       "task" : "Run PKI enroll request for vdsm and QEMU", >       "task_uuid" : "00163e59-8f5b-ba87-8722-0000000002a4", >       "task_action" : "command", >       "task_args" : "", >       "task_path" : "/usr/share/ovirt-engine/ansible-runner-service- > project/project/roles/ovirt-host-deploy-vdsm- > certificates/tasks/main.yml:38", >       "role" : "ovirt-host-deploy-vdsm-certificates", >       "host" : "xnet-node-02.xnet.local", >       "remote_addr" : "xnet-node-02.xnet.local", >       "res" : { >         "results" : [ { >           "msg" : "non-zero return code", >           "cmd" : [ "/usr/share/ovirt-engine/bin/pki-enroll- > request.sh", "--name=xnet-node-02.xnet.local", "-- > subject=/O=xnet.local/CN=xnet-node-02.xnet.local", "--san=DNS:xnet- > node-02.xnet.local", "--days=398", "--timeout=30", "--ca-file=ca", "- > -cert-dir=certs", "--req-dir=requests" ], >           "stdout" : "", >           "stderr" : "Using configuration from openssl.conf\nunable > to load number from serial.txt\nerror while loading serial > number\n140364123252544:error:0D066096:asn1 encoding > routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:\nCannot > sign certificate", >           "rc" : 1, >           "start" : "2022-07-20 17:50:42.811555", >           "end" : "2022-07-20 17:50:42.840405", >           "delta" : "0:00:00.028850", >           "changed" : true, >           "failed" : true, >           "invocation" : { >             "module_args" : { >               "_raw_params" : "\"/usr/share/ovirt-engine/bin/pki- > enroll-request.sh\"\n\"--name=xnet-node-02.xnet.local\"\n\"-- > subject=/O=xnet.local/CN=xnet-node-02.xnet.local\"\n\"--san=DNS:xnet- > node-02.xnet.local\"\n\"--days=398\"\n\"--timeout=30\"\n\"--ca- > file=ca\"\n\"--cert-dir=certs\"\n\"--req-dir=requests\"\n", >               "warn" : true, >               "_uses_shell" : false, >               "stdin_add_newline" : true, >               "strip_empty_ends" : true, >               "argv" : null, >               "chdir" : null, >               "executable" : null, >               "creates" : null, >               "removes" : null, >               "stdin" : null >             } >           }, >           "stdout_lines" : [ ], >           "stderr_lines" : [ "Using configuration from openssl.conf", > "unable to load number from serial.txt", "error while loading serial > number", "140364123252544:error:0D066096:asn1 encoding > routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:", > "Cannot sign certificate" ], >           "_ansible_no_log" : false, >           "item" : { >             "ou" : "", >             "ca_file" : "ca", >             "cert_dir" : "certs", >             "req_dir" : "requests" >           }, >           "ansible_loop_var" : "item", >           "_ansible_item_label" : { >             "ou" : "", >             "ca_file" : "ca", >             "cert_dir" : "certs", >             "req_dir" : "requests" >           } >         }, { >           "msg" : "non-zero return code", >           "cmd" : [ "/usr/share/ovirt-engine/bin/pki-enroll- > request.sh", "--name=xnet-node-02.xnet.local", "-- > subject=/O=xnet.local/CN=xnet-node-02.xnet.local/OU=qemu", "-- > san=DNS:xnet-node-02.xnet.local", "--days=398", "--timeout=30", "-- > ca-file=qemu-ca", "--cert-dir=certs-qemu", "--req-dir=requests-qemu" > ], >           "stdout" : "", >           "stderr" : "Using configuration from openssl.conf\nunable > to load number from serial.txt\nerror while loading serial > number\n140005905663808:error:0D066096:asn1 encoding > routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:\nCannot > sign certificate", >           "rc" : 1, >           "start" : "2022-07-20 17:50:43.015979", >           "end" : "2022-07-20 17:50:43.043930", >           "delta" : "0:00:00.027951", >           "changed" : true, >           "failed" : true, >           "invocation" : { >             "module_args" : { >               "_raw_params" : "\"/usr/share/ovirt-engine/bin/pki- > enroll-request.sh\"\n\"--name=xnet-node-02.xnet.local\"\n\"-- > subject=/O=xnet.local/CN=xnet-node-02.xnet.local/OU=qemu\"\n\"-- > san=DNS:xnet-node-02.xnet.local\"\n\"--days=398\"\n\"-- > timeout=30\"\n\"--ca-file=qemu-ca\"\n\"--cert-dir=certs-qemu\"\n\"-- > req-dir=requests-qemu\"\n", >               "warn" : true, >               "_uses_shell" : false, >               "stdin_add_newline" : true, >               "strip_empty_ends" : true, >               "argv" : null, >               "chdir" : null, >               "executable" : null, >               "creates" : null, >               "removes" : null, >               "stdin" : null >             } >           }, >           "stdout_lines" : [ ], >           "stderr_lines" : [ "Using configuration from openssl.conf", > "unable to load number from serial.txt", "error while loading serial > number", "140005905663808:error:0D066096:asn1 encoding > routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:", > "Cannot sign certificate" ], >           "_ansible_no_log" : false, >           "item" : { >             "ou" : "/OU=qemu", >             "ca_file" : "qemu-ca", >             "cert_dir" : "certs-qemu", >             "req_dir" : "requests-qemu" >           }, >           "ansible_loop_var" : "item", >           "_ansible_item_label" : { >             "ou" : "/OU=qemu", >             "ca_file" : "qemu-ca", >             "cert_dir" : "certs-qemu", >             "req_dir" : "requests-qemu" >           } >         } ], >         "changed" : true, >         "msg" : "All items completed" >       }, >       "start" : "2022-07-20T17:50:42.639821", >       "end" : "2022-07-20T17:50:43.065519", >       "duration" : 0.425698, >       "ignore_errors" : null, >       "event_loop" : "items", >       "uuid" : "67f44c2c-edf2-454b-ab5f-a3a6e3076ddc" >     } >   } > } > _______________________________________________ > Users mailing list -- users(a)ovirt.org > To unsubscribe send an email to users-leave(a)ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/AWB77BK4CLJ... _______________________________________________ Users mailing list -- users(a)ovirt.org To unsubscribe send an email to users-leave(a)ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/7SUDHL5ULD3...