Task Run PKI enroll request for vdsm and QEMU failed to execute. Ovirt 4.5.1

Hi there, I am currently at a loss as to why I am unable to install additional nodes and am receiving the error: "Task Run PKI enroll request for vdsm and QEMU failed to execute" Running oVirt node 4.5.1 and would appreciate any assistance as there's no other forums discussing this issue. I have Logs ready at request. Cheers

Log: 2022-07-20 17:50:43 UTC - TASK [ovirt-host-deploy-vdsm-certificates : Run PKI enroll request for vdsm and QEMU] *** 2022-07-20 17:50:43 UTC - 2022-07-20 17:50:43 UTC - { "status" : "OK", "msg" : "", "data" : { "uuid" : "67f44c2c-edf2-454b-ab5f-a3a6e3076ddc", "counter" : 179, "stdout" : "", "start_line" : 171, "end_line" : 171, "runner_ident" : "6b4c5f52-0854-11ed-b044-00163e598f5b", "event" : "runner_on_failed", "pid" : 32040, "created" : "2022-07-20T17:50:43.065710", "parent_uuid" : "00163e59-8f5b-ba87-8722-0000000002a4", "event_data" : { "playbook" : "ovirt-host-deploy.yml", "playbook_uuid" : "4f7a6915-ae99-445b-ac02-ba66bbd1aa57", "play" : "all", "play_uuid" : "00163e59-8f5b-ba87-8722-000000000008", "play_pattern" : "all", "task" : "Run PKI enroll request for vdsm and QEMU", "task_uuid" : "00163e59-8f5b-ba87-8722-0000000002a4", "task_action" : "command", "task_args" : "", "task_path" : "/usr/share/ovirt-engine/ansible-runner-service-project/project/roles/ovirt-host-deploy-vdsm-certificates/tasks/main.yml:38", "role" : "ovirt-host-deploy-vdsm-certificates", "host" : "xnet-node-02.xnet.local", "remote_addr" : "xnet-node-02.xnet.local", "res" : { "results" : [ { "msg" : "non-zero return code", "cmd" : [ "/usr/share/ovirt-engine/bin/pki-enroll-request.sh", "--name=xnet-node-02.xnet.local", "--subject=/O=xnet.local/CN=xnet-node-02.xnet.local", "--san=DNS:xnet-node-02.xnet.local", "--days=398", "--timeout=30", "--ca-file=ca", "--cert-dir=certs", "--req-dir=requests" ], "stdout" : "", "stderr" : "Using configuration from openssl.conf\nunable to load number from serial.txt\nerror while loading serial number\n140364123252544:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:\nCannot sign certificate", "rc" : 1, "start" : "2022-07-20 17:50:42.811555", "end" : "2022-07-20 17:50:42.840405", "delta" : "0:00:00.028850", "changed" : true, "failed" : true, "invocation" : { "module_args" : { "_raw_params" : "\"/usr/share/ovirt-engine/bin/pki-enroll-request.sh\"\n\"--name=xnet-node-02.xnet.local\"\n\"--subject=/O=xnet.local/CN=xnet-node-02.xnet.local\"\n\"--san=DNS:xnet-node-02.xnet.local\"\n\"--days=398\"\n\"--timeout=30\"\n\"--ca-file=ca\"\n\"--cert-dir=certs\"\n\"--req-dir=requests\"\n", "warn" : true, "_uses_shell" : false, "stdin_add_newline" : true, "strip_empty_ends" : true, "argv" : null, "chdir" : null, "executable" : null, "creates" : null, "removes" : null, "stdin" : null } }, "stdout_lines" : [ ], "stderr_lines" : [ "Using configuration from openssl.conf", "unable to load number from serial.txt", "error while loading serial number", "140364123252544:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:", "Cannot sign certificate" ], "_ansible_no_log" : false, "item" : { "ou" : "", "ca_file" : "ca", "cert_dir" : "certs", "req_dir" : "requests" }, "ansible_loop_var" : "item", "_ansible_item_label" : { "ou" : "", "ca_file" : "ca", "cert_dir" : "certs", "req_dir" : "requests" } }, { "msg" : "non-zero return code", "cmd" : [ "/usr/share/ovirt-engine/bin/pki-enroll-request.sh", "--name=xnet-node-02.xnet.local", "--subject=/O=xnet.local/CN=xnet-node-02.xnet.local/OU=qemu", "--san=DNS:xnet-node-02.xnet.local", "--days=398", "--timeout=30", "--ca-file=qemu-ca", "--cert-dir=certs-qemu", "--req-dir=requests-qemu" ], "stdout" : "", "stderr" : "Using configuration from openssl.conf\nunable to load number from serial.txt\nerror while loading serial number\n140005905663808:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:\nCannot sign certificate", "rc" : 1, "start" : "2022-07-20 17:50:43.015979", "end" : "2022-07-20 17:50:43.043930", "delta" : "0:00:00.027951", "changed" : true, "failed" : true, "invocation" : { "module_args" : { "_raw_params" : "\"/usr/share/ovirt-engine/bin/pki-enroll-request.sh\"\n\"--name=xnet-node-02.xnet.local\"\n\"--subject=/O=xnet.local/CN=xnet-node-02.xnet.local/OU=qemu\"\n\"--san=DNS:xnet-node-02.xnet.local\"\n\"--days=398\"\n\"--timeout=30\"\n\"--ca-file=qemu-ca\"\n\"--cert-dir=certs-qemu\"\n\"--req-dir=requests-qemu\"\n", "warn" : true, "_uses_shell" : false, "stdin_add_newline" : true, "strip_empty_ends" : true, "argv" : null, "chdir" : null, "executable" : null, "creates" : null, "removes" : null, "stdin" : null } }, "stdout_lines" : [ ], "stderr_lines" : [ "Using configuration from openssl.conf", "unable to load number from serial.txt", "error while loading serial number", "140005905663808:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:", "Cannot sign certificate" ], "_ansible_no_log" : false, "item" : { "ou" : "/OU=qemu", "ca_file" : "qemu-ca", "cert_dir" : "certs-qemu", "req_dir" : "requests-qemu" }, "ansible_loop_var" : "item", "_ansible_item_label" : { "ou" : "/OU=qemu", "ca_file" : "qemu-ca", "cert_dir" : "certs-qemu", "req_dir" : "requests-qemu" } } ], "changed" : true, "msg" : "All items completed" }, "start" : "2022-07-20T17:50:42.639821", "end" : "2022-07-20T17:50:43.065519", "duration" : 0.425698, "ignore_errors" : null, "event_loop" : "items", "uuid" : "67f44c2c-edf2-454b-ab5f-a3a6e3076ddc" } } }

That error is saying the enrollment script cannot access the serial.txt file to generate the new certificate's serial number. That file should be located at /etc/pki/ovirt-engine/serial.txt Owned by the ovirt user / group. (Oddly enough on my system that file is world readable / writable. Which seems like it should be wrong...) There may also be backup files of it in that same directory. If the file doesn't exist at all and there are no backups: You could try to create a new one by figuring out what the highest serial number issued by the internal ca is, incrementing it by one, and echoing that into a new serial.txt file. (Setting permissions as appropriate.) Although in this case, I'd ask why the file was deleted in the first place. -Patrick Hibbs On Wed, 2022-07-20 at 19:44 +0000, xavierl@rogers.com wrote:
Log:
2022-07-20 17:50:43 UTC - TASK [ovirt-host-deploy-vdsm-certificates : Run PKI enroll request for vdsm and QEMU] *** 2022-07-20 17:50:43 UTC - 2022-07-20 17:50:43 UTC - { "status" : "OK", "msg" : "", "data" : { "uuid" : "67f44c2c-edf2-454b-ab5f-a3a6e3076ddc", "counter" : 179, "stdout" : "", "start_line" : 171, "end_line" : 171, "runner_ident" : "6b4c5f52-0854-11ed-b044-00163e598f5b", "event" : "runner_on_failed", "pid" : 32040, "created" : "2022-07-20T17:50:43.065710", "parent_uuid" : "00163e59-8f5b-ba87-8722-0000000002a4", "event_data" : { "playbook" : "ovirt-host-deploy.yml", "playbook_uuid" : "4f7a6915-ae99-445b-ac02-ba66bbd1aa57", "play" : "all", "play_uuid" : "00163e59-8f5b-ba87-8722-000000000008", "play_pattern" : "all", "task" : "Run PKI enroll request for vdsm and QEMU", "task_uuid" : "00163e59-8f5b-ba87-8722-0000000002a4", "task_action" : "command", "task_args" : "", "task_path" : "/usr/share/ovirt-engine/ansible-runner-service- project/project/roles/ovirt-host-deploy-vdsm- certificates/tasks/main.yml:38", "role" : "ovirt-host-deploy-vdsm-certificates", "host" : "xnet-node-02.xnet.local", "remote_addr" : "xnet-node-02.xnet.local", "res" : { "results" : [ { "msg" : "non-zero return code", "cmd" : [ "/usr/share/ovirt-engine/bin/pki-enroll- request.sh", "--name=xnet-node-02.xnet.local", "-- subject=/O=xnet.local/CN=xnet-node-02.xnet.local", "--san=DNS:xnet- node-02.xnet.local", "--days=398", "--timeout=30", "--ca-file=ca", "- -cert-dir=certs", "--req-dir=requests" ], "stdout" : "", "stderr" : "Using configuration from openssl.conf\nunable to load number from serial.txt\nerror while loading serial number\n140364123252544:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:\nCannot sign certificate", "rc" : 1, "start" : "2022-07-20 17:50:42.811555", "end" : "2022-07-20 17:50:42.840405", "delta" : "0:00:00.028850", "changed" : true, "failed" : true, "invocation" : { "module_args" : { "_raw_params" : "\"/usr/share/ovirt-engine/bin/pki- enroll-request.sh\"\n\"--name=xnet-node-02.xnet.local\"\n\"-- subject=/O=xnet.local/CN=xnet-node-02.xnet.local\"\n\"--san=DNS:xnet- node-02.xnet.local\"\n\"--days=398\"\n\"--timeout=30\"\n\"--ca- file=ca\"\n\"--cert-dir=certs\"\n\"--req-dir=requests\"\n", "warn" : true, "_uses_shell" : false, "stdin_add_newline" : true, "strip_empty_ends" : true, "argv" : null, "chdir" : null, "executable" : null, "creates" : null, "removes" : null, "stdin" : null } }, "stdout_lines" : [ ], "stderr_lines" : [ "Using configuration from openssl.conf", "unable to load number from serial.txt", "error while loading serial number", "140364123252544:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:", "Cannot sign certificate" ], "_ansible_no_log" : false, "item" : { "ou" : "", "ca_file" : "ca", "cert_dir" : "certs", "req_dir" : "requests" }, "ansible_loop_var" : "item", "_ansible_item_label" : { "ou" : "", "ca_file" : "ca", "cert_dir" : "certs", "req_dir" : "requests" } }, { "msg" : "non-zero return code", "cmd" : [ "/usr/share/ovirt-engine/bin/pki-enroll- request.sh", "--name=xnet-node-02.xnet.local", "-- subject=/O=xnet.local/CN=xnet-node-02.xnet.local/OU=qemu", "-- san=DNS:xnet-node-02.xnet.local", "--days=398", "--timeout=30", "-- ca-file=qemu-ca", "--cert-dir=certs-qemu", "--req-dir=requests-qemu" ], "stdout" : "", "stderr" : "Using configuration from openssl.conf\nunable to load number from serial.txt\nerror while loading serial number\n140005905663808:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:\nCannot sign certificate", "rc" : 1, "start" : "2022-07-20 17:50:43.015979", "end" : "2022-07-20 17:50:43.043930", "delta" : "0:00:00.027951", "changed" : true, "failed" : true, "invocation" : { "module_args" : { "_raw_params" : "\"/usr/share/ovirt-engine/bin/pki- enroll-request.sh\"\n\"--name=xnet-node-02.xnet.local\"\n\"-- subject=/O=xnet.local/CN=xnet-node-02.xnet.local/OU=qemu\"\n\"-- san=DNS:xnet-node-02.xnet.local\"\n\"--days=398\"\n\"-- timeout=30\"\n\"--ca-file=qemu-ca\"\n\"--cert-dir=certs-qemu\"\n\"-- req-dir=requests-qemu\"\n", "warn" : true, "_uses_shell" : false, "stdin_add_newline" : true, "strip_empty_ends" : true, "argv" : null, "chdir" : null, "executable" : null, "creates" : null, "removes" : null, "stdin" : null } }, "stdout_lines" : [ ], "stderr_lines" : [ "Using configuration from openssl.conf", "unable to load number from serial.txt", "error while loading serial number", "140005905663808:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:", "Cannot sign certificate" ], "_ansible_no_log" : false, "item" : { "ou" : "/OU=qemu", "ca_file" : "qemu-ca", "cert_dir" : "certs-qemu", "req_dir" : "requests-qemu" }, "ansible_loop_var" : "item", "_ansible_item_label" : { "ou" : "/OU=qemu", "ca_file" : "qemu-ca", "cert_dir" : "certs-qemu", "req_dir" : "requests-qemu" } } ], "changed" : true, "msg" : "All items completed" }, "start" : "2022-07-20T17:50:42.639821", "end" : "2022-07-20T17:50:43.065519", "duration" : 0.425698, "ignore_errors" : null, "event_loop" : "items", "uuid" : "67f44c2c-edf2-454b-ab5f-a3a6e3076ddc" } } } _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/AWB77BK4CLJZ34...

Patrick Hibbs <hibbsncc1701@gmail.com> writes:
That error is saying the enrollment script cannot access the serial.txt file to generate the new certificate's serial number. That file should be located at /etc/pki/ovirt-engine/serial.txt Owned by the ovirt user / group. (Oddly enough on my system that file is world readable / writable. Which seems like it should be wrong...)
It is wrong and it is being handled in https://github.com/oVirt/ovirt-engine/pull/477.
There may also be backup files of it in that same directory.
If the file doesn't exist at all and there are no backups: You could try to create a new one by figuring out what the highest serial number issued by the internal ca is, incrementing it by one, and echoing that into a new serial.txt file. (Setting permissions as appropriate.) Although in this case, I'd ask why the file was deleted in the first place.
It might be related to https://bugzilla.redhat.com/2088446 but I don't know any details. Regards, Milan
-Patrick Hibbs
On Wed, 2022-07-20 at 19:44 +0000, xavierl@rogers.com wrote:
Log:
2022-07-20 17:50:43 UTC - TASK [ovirt-host-deploy-vdsm-certificates : Run PKI enroll request for vdsm and QEMU] *** 2022-07-20 17:50:43 UTC - 2022-07-20 17:50:43 UTC - { "status" : "OK", "msg" : "", "data" : { "uuid" : "67f44c2c-edf2-454b-ab5f-a3a6e3076ddc", "counter" : 179, "stdout" : "", "start_line" : 171, "end_line" : 171, "runner_ident" : "6b4c5f52-0854-11ed-b044-00163e598f5b", "event" : "runner_on_failed", "pid" : 32040, "created" : "2022-07-20T17:50:43.065710", "parent_uuid" : "00163e59-8f5b-ba87-8722-0000000002a4", "event_data" : { "playbook" : "ovirt-host-deploy.yml", "playbook_uuid" : "4f7a6915-ae99-445b-ac02-ba66bbd1aa57", "play" : "all", "play_uuid" : "00163e59-8f5b-ba87-8722-000000000008", "play_pattern" : "all", "task" : "Run PKI enroll request for vdsm and QEMU", "task_uuid" : "00163e59-8f5b-ba87-8722-0000000002a4", "task_action" : "command", "task_args" : "", "task_path" : "/usr/share/ovirt-engine/ansible-runner-service- project/project/roles/ovirt-host-deploy-vdsm- certificates/tasks/main.yml:38", "role" : "ovirt-host-deploy-vdsm-certificates", "host" : "xnet-node-02.xnet.local", "remote_addr" : "xnet-node-02.xnet.local", "res" : { "results" : [ { "msg" : "non-zero return code", "cmd" : [ "/usr/share/ovirt-engine/bin/pki-enroll- request.sh", "--name=xnet-node-02.xnet.local", "-- subject=/O=xnet.local/CN=xnet-node-02.xnet.local", "--san=DNS:xnet- node-02.xnet.local", "--days=398", "--timeout=30", "--ca-file=ca", "- -cert-dir=certs", "--req-dir=requests" ], "stdout" : "", "stderr" : "Using configuration from openssl.conf\nunable to load number from serial.txt\nerror while loading serial number\n140364123252544:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:\nCannot sign certificate", "rc" : 1, "start" : "2022-07-20 17:50:42.811555", "end" : "2022-07-20 17:50:42.840405", "delta" : "0:00:00.028850", "changed" : true, "failed" : true, "invocation" : { "module_args" : { "_raw_params" : "\"/usr/share/ovirt-engine/bin/pki- enroll-request.sh\"\n\"--name=xnet-node-02.xnet.local\"\n\"-- subject=/O=xnet.local/CN=xnet-node-02.xnet.local\"\n\"--san=DNS:xnet- node-02.xnet.local\"\n\"--days=398\"\n\"--timeout=30\"\n\"--ca- file=ca\"\n\"--cert-dir=certs\"\n\"--req-dir=requests\"\n", "warn" : true, "_uses_shell" : false, "stdin_add_newline" : true, "strip_empty_ends" : true, "argv" : null, "chdir" : null, "executable" : null, "creates" : null, "removes" : null, "stdin" : null } }, "stdout_lines" : [ ], "stderr_lines" : [ "Using configuration from openssl.conf", "unable to load number from serial.txt", "error while loading serial number", "140364123252544:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:", "Cannot sign certificate" ], "_ansible_no_log" : false, "item" : { "ou" : "", "ca_file" : "ca", "cert_dir" : "certs", "req_dir" : "requests" }, "ansible_loop_var" : "item", "_ansible_item_label" : { "ou" : "", "ca_file" : "ca", "cert_dir" : "certs", "req_dir" : "requests" } }, { "msg" : "non-zero return code", "cmd" : [ "/usr/share/ovirt-engine/bin/pki-enroll- request.sh", "--name=xnet-node-02.xnet.local", "-- subject=/O=xnet.local/CN=xnet-node-02.xnet.local/OU=qemu", "-- san=DNS:xnet-node-02.xnet.local", "--days=398", "--timeout=30", "-- ca-file=qemu-ca", "--cert-dir=certs-qemu", "--req-dir=requests-qemu" ], "stdout" : "", "stderr" : "Using configuration from openssl.conf\nunable to load number from serial.txt\nerror while loading serial number\n140005905663808:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:\nCannot sign certificate", "rc" : 1, "start" : "2022-07-20 17:50:43.015979", "end" : "2022-07-20 17:50:43.043930", "delta" : "0:00:00.027951", "changed" : true, "failed" : true, "invocation" : { "module_args" : { "_raw_params" : "\"/usr/share/ovirt-engine/bin/pki- enroll-request.sh\"\n\"--name=xnet-node-02.xnet.local\"\n\"-- subject=/O=xnet.local/CN=xnet-node-02.xnet.local/OU=qemu\"\n\"-- san=DNS:xnet-node-02.xnet.local\"\n\"--days=398\"\n\"-- timeout=30\"\n\"--ca-file=qemu-ca\"\n\"--cert-dir=certs-qemu\"\n\"-- req-dir=requests-qemu\"\n", "warn" : true, "_uses_shell" : false, "stdin_add_newline" : true, "strip_empty_ends" : true, "argv" : null, "chdir" : null, "executable" : null, "creates" : null, "removes" : null, "stdin" : null } }, "stdout_lines" : [ ], "stderr_lines" : [ "Using configuration from openssl.conf", "unable to load number from serial.txt", "error while loading serial number", "140005905663808:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:", "Cannot sign certificate" ], "_ansible_no_log" : false, "item" : { "ou" : "/OU=qemu", "ca_file" : "qemu-ca", "cert_dir" : "certs-qemu", "req_dir" : "requests-qemu" }, "ansible_loop_var" : "item", "_ansible_item_label" : { "ou" : "/OU=qemu", "ca_file" : "qemu-ca", "cert_dir" : "certs-qemu", "req_dir" : "requests-qemu" } } ], "changed" : true, "msg" : "All items completed" }, "start" : "2022-07-20T17:50:42.639821", "end" : "2022-07-20T17:50:43.065519", "duration" : 0.425698, "ignore_errors" : null, "event_loop" : "items", "uuid" : "67f44c2c-edf2-454b-ab5f-a3a6e3076ddc" } } } _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/AWB77BK4CLJZ34...
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/7SUDHL5ULD3K52...

Thank you Patrick and Milan for your assistance. I was at a complete loss as I had added nodes before without issue and Dr. Google failed to provide any solutions. Relieved to know that this issue is being worked on! Cheers, Xavier
participants (3)
-
Milan Zamazal
-
Patrick Hibbs
-
xavierl@rogers.com