11:47 a.m.
Hi,
We're running oVirt 4.5.4, recently we got this alert:
Engine's certification is about to expire at 2023-11-19. Please renew
the engine's certification.
So I'm trying to run:
engine-setup --offline
However, it fails with the following error:
[ INFO ] Upgrading CA
[ INFO ] Renewing engine certificate
[ ERROR ] Failed to execute stage 'Misc configuration': Command
'/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute
Digging into the logs I can see this:
2023-11-14 08:36:22,848+0000 DEBUG
otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca plugin.execute:926
execute-output: ('/usr/share/ovirt-engine/bin/pki-enroll- pkcs12.sh',
'--name=engine', '--password=**FILTERED**',
'--subject=/C=US/O=stic.ull.es/CN=fqdn.es', '--san=DNS:fqdn.es',
'--keep-key') stderr:
Ignoring -days; not generating a certificate
/etc/pki/ovirt-engine/ca.pem is not on a local filesystem
Cannot sign request
2023-11-14 08:36:22,849+0000 DEBUG otopi.context
context._executeMethod:145 method exception
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/otopi/context.py", line 132,
in _executeMethod
method['method']()
File
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
line 753, in _miscUpgrade
self._enrollCertificates(True, uninstall_files)
File
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
line 360, in _enrollCertificates
shortLife=entry['shortLife'],
File
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
line 250, in _enrollCertificate
+ (('--days=398',) if shortLife else ())
File "/usr/lib/python3.6/site-packages/otopi/plugin.py", line 931,
in execute
command=args[0],
RuntimeError: Command
'/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute
2023-11-14 08:36:22,852+0000 ERROR otopi.context
context._executeMethod:154 Failed to execute stage 'Misc configuration':
Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to
execute
However, the file exists and is on a local filesystem:
# ll /etc/pki/ovirt-engine/ca.pem
-rw-r--r--. 1 root root 4516 jun 24 2015 /etc/pki/ovirt-engine/ca.pem
Can someone shed some light about why is this failing and how to solve
it, please?
Thanks.
12:12 p.m.
On Tue, Nov 14, 2023 at 10:49 AM <nicolas(a)devels.es> wrote:
Hi,
We're running oVirt 4.5.4, recently we got this alert:
Engine's certification is about to expire at 2023-11-19. Please renew
the engine's certification.
So I'm trying to run:
engine-setup --offline
However, it fails with the following error:
[ INFO ] Upgrading CA
[ INFO ] Renewing engine certificate
[ ERROR ] Failed to execute stage 'Misc configuration': Command
'/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute
Digging into the logs I can see this:
2023-11-14 08:36:22,848+0000 DEBUG
otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca plugin.execute:926
execute-output: ('/usr/share/ovirt-engine/bin/pki-enroll- pkcs12.sh',
'--name=engine', '--password=**FILTERED**',
'--subject=/C=US/O=stic.ull.es/CN=fqdn.es', '--san=DNS:fqdn.es',
'--keep-key') stderr:
Ignoring -days; not generating a certificate
/etc/pki/ovirt-engine/ca.pem is not on a local filesystem
Cannot sign request
2023-11-14 08:36:22,849+0000 DEBUG otopi.context
context._executeMethod:145 method exception
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/otopi/context.py", line 132,
in _executeMethod
method['method']()
File
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
line 753, in _miscUpgrade
self._enrollCertificates(True, uninstall_files)
File
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
line 360, in _enrollCertificates
shortLife=entry['shortLife'],
File
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
line 250, in _enrollCertificate
+ (('--days=398',) if shortLife else ())
File "/usr/lib/python3.6/site-packages/otopi/plugin.py", line 931,
in execute
command=args[0],
RuntimeError: Command
'/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute
2023-11-14 08:36:22,852+0000 ERROR otopi.context
context._executeMethod:154 Failed to execute stage 'Misc configuration':
Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to
execute
However, the file exists and is on a local filesystem:
# ll /etc/pki/ovirt-engine/ca.pem
-rw-r--r--. 1 root root 4516 jun 24 2015 /etc/pki/ovirt-engine/ca.pem
This does not prove that it's on a local filesystem - can be on nfs, and nfs
locking is sometimes problematic, so we prevented that. See
pki-enroll-request.sh.
Can someone shed some light about why is this failing and how to solve
it, please?
What output do you get for:
df -l /etc/pki/ovirt-engine/ca.pem
?
Best regards,
--
Didi
12:28 p.m.
New subject: /etc/pki/ovirt-engine/ca.pem is not on a local filesystem
Hi Didi,
Thanks for the reply.
Finally solved it by exporting LANG=C in the shell before running the
command.
Seems that the "pki-enroll-request.sh" does this check:
LOCK="${PKIDIR}/${CA_FILE}".pem
df -l "${LOCK}" 2> /dev/null | grep -q "File" || die
"${LOCK} is not
on a local filesystem"
However, if LANG is a different language than C, the output will vary
and the grep command will return empty.
It's working now. Thanks.
El 2023-11-14 09:12, Yedidyah Bar David escribió:
> On Tue, Nov 14, 2023 at 10:49 AM <nicolas(a)devels.es> wrote:
>
>> Hi,
>>
>> We're running oVirt 4.5.4, recently we got this alert:
>>
>> Engine's certification is about to expire at 2023-11-19. Please
>> renew
>> the engine's certification.
>>
>> So I'm trying to run:
>>
>> engine-setup --offline
>>
>> However, it fails with the following error:
>>
>> [ INFO ] Upgrading CA
>> [ INFO ] Renewing engine certificate
>> [ ERROR ] Failed to execute stage 'Misc configuration': Command
>> '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute
>>
>> Digging into the logs I can see this:
>>
>> 2023-11-14 08:36:22,848+0000 DEBUG
>> otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca [1]
>> plugin.execute:926
>> execute-output: ('/usr/share/ovirt-engine/bin/pki-enroll-
>> pkcs12.sh',
>> '--name=engine', '--password=**FILTERED**',
>> '--subject=/C=US/O=stic.ull.es/CN=fqdn.es [2]', '--san=DNS:fqdn.es
>> [3]',
>> '--keep-key') stderr:
>> Ignoring -days; not generating a certificate
>> /etc/pki/ovirt-engine/ca.pem is not on a local filesystem
>> Cannot sign request
>>
>> 2023-11-14 08:36:22,849+0000 DEBUG otopi.context
>> context._executeMethod:145 method exception
>> Traceback (most recent call last):
>> File "/usr/lib/python3.6/site-packages/otopi/context.py", line
>> 132,
>> in _executeMethod
>> method['method']()
>> File
>>
>
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
>>
>> line 753, in _miscUpgrade
>> self._enrollCertificates(True, uninstall_files)
>> File
>>
>
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
>>
>> line 360, in _enrollCertificates
>> shortLife=entry['shortLife'],
>> File
>>
>
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
>>
>> line 250, in _enrollCertificate
>> + (('--days=398',) if shortLife else ())
>> File "/usr/lib/python3.6/site-packages/otopi/plugin.py", line
>> 931,
>> in execute
>> command=args[0],
>> RuntimeError: Command
>> '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute
>> 2023-11-14 08:36:22,852+0000 ERROR otopi.context
>> context._executeMethod:154 Failed to execute stage 'Misc
>> configuration':
>> Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to
>>
>> execute
>>
>> However, the file exists and is on a local filesystem:
>>
>> # ll /etc/pki/ovirt-engine/ca.pem
>> -rw-r--r--. 1 root root 4516 jun 24 2015
>> /etc/pki/ovirt-engine/ca.pem
>
> This does not prove that it's on a local filesystem - can be on nfs,
> and nfs
> locking is sometimes problematic, so we prevented that. See
> pki-enroll-request.sh.
>
>> Can someone shed some light about why is this failing and how to
>> solve
>> it, please?
>
> What output do you get for:
> df -l /etc/pki/ovirt-engine/ca.pem
> ?
>
> Best regards,--
> Didi
>
>
> Links:
> ------
> [1] http://otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca
> [2] http://stic.ull.es/CN=fqdn.es
> [3] http://fqdn.es
1:04 p.m.
New subject: /etc/pki/ovirt-engine/ca.pem is not on a local filesystem
Hi,
On Tue, Nov 14, 2023 at 11:31 AM <nicolas(a)devels.es> wrote:
Hi Didi,
Thanks for the reply.
Finally solved it by exporting LANG=C in the shell before running the
command.
Seems that the "pki-enroll-request.sh" does this check:
LOCK="${PKIDIR}/${CA_FILE}".pem
df -l "${LOCK}" 2> /dev/null | grep -q "File" || die
"${LOCK} is not
on a local filesystem"
However, if LANG is a different language than C, the output will vary
and the grep command will return empty.
It's working now. Thanks.
Thanks for the update! You might want to push a patch to enforce the
locale for the `df` command (e.g. 'LC_ALL=C df -l...').
There are a few such places scattered around the code, but nothing
systematic -
and I think we do want, in general, to have localized error messages, so
can't
do this "too-high" in the execution hierarchy.
Best regards,
El 2023-11-14 09:12, Yedidyah Bar David escribió:
> On Tue, Nov 14, 2023 at 10:49 AM <nicolas(a)devels.es> wrote:
>
>> Hi,
>>
>> We're running oVirt 4.5.4, recently we got this alert:
>>
>> Engine's certification is about to expire at 2023-11-19. Please
>> renew
>> the engine's certification.
>>
>> So I'm trying to run:
>>
>> engine-setup --offline
>>
>> However, it fails with the following error:
>>
>> [ INFO ] Upgrading CA
>> [ INFO ] Renewing engine certificate
>> [ ERROR ] Failed to execute stage 'Misc configuration': Command
>> '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute
>>
>> Digging into the logs I can see this:
>>
>> 2023-11-14 08:36:22,848+0000 DEBUG
>> otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca [1]
>> plugin.execute:926
>> execute-output: ('/usr/share/ovirt-engine/bin/pki-enroll-
>> pkcs12.sh',
>> '--name=engine', '--password=**FILTERED**',
>> '--subject=/C=US/O=stic.ull.es/CN=fqdn.es [2]', '--san=DNS:fqdn.es
>> [3]',
>> '--keep-key') stderr:
>> Ignoring -days; not generating a certificate
>> /etc/pki/ovirt-engine/ca.pem is not on a local filesystem
>> Cannot sign request
>>
>> 2023-11-14 08:36:22,849+0000 DEBUG otopi.context
>> context._executeMethod:145 method exception
>> Traceback (most recent call last):
>> File "/usr/lib/python3.6/site-packages/otopi/context.py", line
>> 132,
>> in _executeMethod
>> method['method']()
>> File
>>
>
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
>>
>> line 753, in _miscUpgrade
>> self._enrollCertificates(True, uninstall_files)
>> File
>>
>
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
>>
>> line 360, in _enrollCertificates
>> shortLife=entry['shortLife'],
>> File
>>
>
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
>>
>> line 250, in _enrollCertificate
>> + (('--days=398',) if shortLife else ())
>> File "/usr/lib/python3.6/site-packages/otopi/plugin.py", line
>> 931,
>> in execute
>> command=args[0],
>> RuntimeError: Command
>> '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute
>> 2023-11-14 08:36:22,852+0000 ERROR otopi.context
>> context._executeMethod:154 Failed to execute stage 'Misc
>> configuration':
>> Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to
>>
>> execute
>>
>> However, the file exists and is on a local filesystem:
>>
>> # ll /etc/pki/ovirt-engine/ca.pem
>> -rw-r--r--. 1 root root 4516 jun 24 2015
>> /etc/pki/ovirt-engine/ca.pem
>
> This does not prove that it's on a local filesystem - can be on nfs,
> and nfs
> locking is sometimes problematic, so we prevented that. See
> pki-enroll-request.sh.
>
>> Can someone shed some light about why is this failing and how to
>> solve
>> it, please?
>
> What output do you get for:
> df -l /etc/pki/ovirt-engine/ca.pem
> ?
>
> Best regards,--
> Didi
>
>
> Links:
> ------
> [1] http://otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca
> [2] http://stic.ull.es/CN=fqdn.es
> [3] http://fqdn.es
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/YXTXJIEQRN2...
--
Didi
2:29 p.m.
New subject: /etc/pki/ovirt-engine/ca.pem is not on a local filesystem
Hi Didi,
Patch has been submitted at
https://github.com/oVirt/ovirt-engine/pull/891.
Thanks.
El 2023-11-14 10:04, Yedidyah Bar David escribió:
> Hi,
>
> On Tue, Nov 14, 2023 at 11:31 AM <nicolas(a)devels.es> wrote:
>
>> Hi Didi,
>>
>> Thanks for the reply.
>>
>> Finally solved it by exporting LANG=C in the shell before running
>> the
>> command.
>>
>> Seems that the "pki-enroll-request.sh" does this check:
>>
>> LOCK="${PKIDIR}/${CA_FILE}".pem
>> df -l "${LOCK}" 2> /dev/null | grep -q "File" || die
"${LOCK} is
>> not
>> on a local filesystem"
>>
>> However, if LANG is a different language than C, the output will
>> vary
>> and the grep command will return empty.
>>
>> It's working now. Thanks.
>
> Thanks for the update! You might want to push a patch to enforce the
> locale for the `df` command (e.g. 'LC_ALL=C df -l...').
>
> There are a few such places scattered around the code, but nothing
> systematic -
> and I think we do want, in general, to have localized error messages,
> so can't
> do this "too-high" in the execution hierarchy.
>
> Best regards,
>
>> El 2023-11-14 09:12, Yedidyah Bar David escribió:
>>> On Tue, Nov 14, 2023 at 10:49 AM <nicolas(a)devels.es> wrote:
>>>
>>>> Hi,
>>>>
>>>> We're running oVirt 4.5.4, recently we got this alert:
>>>>
>>>> Engine's certification is about to expire at 2023-11-19. Please
>>>> renew
>>>> the engine's certification.
>>>>
>>>> So I'm trying to run:
>>>>
>>>> engine-setup --offline
>>>>
>>>> However, it fails with the following error:
>>>>
>>>> [ INFO ] Upgrading CA
>>>> [ INFO ] Renewing engine certificate
>>>> [ ERROR ] Failed to execute stage 'Misc configuration': Command
>>>> '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to
>> execute
>>>>
>>>> Digging into the logs I can see this:
>>>>
>>>> 2023-11-14 08:36:22,848+0000 DEBUG
>>>> otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca [1] [1]
>>>> plugin.execute:926
>>>> execute-output: ('/usr/share/ovirt-engine/bin/pki-enroll-
>>>> pkcs12.sh',
>>>> '--name=engine', '--password=**FILTERED**',
>>>> '--subject=/C=US/O=stic.ull.es/CN=fqdn.es [2] [2]',
>> '--san=DNS:fqdn.es [3]
>>>> [3]',
>>>> '--keep-key') stderr:
>>>> Ignoring -days; not generating a certificate
>>>> /etc/pki/ovirt-engine/ca.pem is not on a local filesystem
>>>> Cannot sign request
>>>>
>>>> 2023-11-14 08:36:22,849+0000 DEBUG otopi.context
>>>> context._executeMethod:145 method exception
>>>> Traceback (most recent call last):
>>>> File "/usr/lib/python3.6/site-packages/otopi/context.py", line
>>>> 132,
>>>> in _executeMethod
>>>> method['method']()
>>>> File
>>>>
>>>
>>
>
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
>>>>
>>>> line 753, in _miscUpgrade
>>>> self._enrollCertificates(True, uninstall_files)
>>>> File
>>>>
>>>
>>
>
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
>>>>
>>>> line 360, in _enrollCertificates
>>>> shortLife=entry['shortLife'],
>>>> File
>>>>
>>>
>>
>
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
>>>>
>>>> line 250, in _enrollCertificate
>>>> + (('--days=398',) if shortLife else ())
>>>> File "/usr/lib/python3.6/site-packages/otopi/plugin.py", line
>>>> 931,
>>>> in execute
>>>> command=args[0],
>>>> RuntimeError: Command
>>>> '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to
>> execute
>>>> 2023-11-14 08:36:22,852+0000 ERROR otopi.context
>>>> context._executeMethod:154 Failed to execute stage 'Misc
>>>> configuration':
>>>> Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh'
failed
>> to
>>>>
>>>> execute
>>>>
>>>> However, the file exists and is on a local filesystem:
>>>>
>>>> # ll /etc/pki/ovirt-engine/ca.pem
>>>> -rw-r--r--. 1 root root 4516 jun 24 2015
>>>> /etc/pki/ovirt-engine/ca.pem
>>>
>>> This does not prove that it's on a local filesystem - can be on
>> nfs,
>>> and nfs
>>> locking is sometimes problematic, so we prevented that. See
>>> pki-enroll-request.sh.
>>>
>>>> Can someone shed some light about why is this failing and how to
>>>> solve
>>>> it, please?
>>>
>>> What output do you get for:
>>> df -l /etc/pki/ovirt-engine/ca.pem
>>> ?
>>>
>>> Best regards,--
>>> Didi
>>>
>>>
>>> Links:
>>> ------
>>> [1] http://otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca
>>> [2] http://stic.ull.es/CN=fqdn.es
>>> [3] http://fqdn.es
>> _______________________________________________
>> Users mailing list -- users(a)ovirt.org
>> To unsubscribe send an email to users-leave(a)ovirt.org
>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>> oVirt Code of Conduct:
>> https://www.ovirt.org/community/about/community-guidelines/
>> List Archives:
>>
>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/YXTXJIEQRN2...
>
> --
> Didi
>
>
> Links:
> ------
> [1] http://otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca
> [2] http://stic.ull.es/CN=fqdn.es
> [3] http://fqdn.es
373
days inactive
373
days old
4 comments
2 participants
participants (2)
-
nicolas@devels.es -
Yedidyah Bar David