/etc/pki/ovirt-engine/ca.pem is not on a local filesystem
Hi, We're running oVirt 4.5.4, recently we got this alert: Engine's certification is about to expire at 2023-11-19. Please renew the engine's certification. So I'm trying to run: engine-setup --offline However, it fails with the following error: [ INFO ] Upgrading CA [ INFO ] Renewing engine certificate [ ERROR ] Failed to execute stage 'Misc configuration': Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute Digging into the logs I can see this: 2023-11-14 08:36:22,848+0000 DEBUG otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca plugin.execute:926 execute-output: ('/usr/share/ovirt-engine/bin/pki-enroll- pkcs12.sh', '--name=engine', '--password=**FILTERED**', '--subject=/C=US/O=stic.ull.es/CN=fqdn.es', '--san=DNS:fqdn.es', '--keep-key') stderr: Ignoring -days; not generating a certificate /etc/pki/ovirt-engine/ca.pem is not on a local filesystem Cannot sign request 2023-11-14 08:36:22,849+0000 DEBUG otopi.context context._executeMethod:145 method exception Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/otopi/context.py", line 132, in _executeMethod method['method']() File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py", line 753, in _miscUpgrade self._enrollCertificates(True, uninstall_files) File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py", line 360, in _enrollCertificates shortLife=entry['shortLife'], File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py", line 250, in _enrollCertificate + (('--days=398',) if shortLife else ()) File "/usr/lib/python3.6/site-packages/otopi/plugin.py", line 931, in execute command=args[0], RuntimeError: Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute 2023-11-14 08:36:22,852+0000 ERROR otopi.context context._executeMethod:154 Failed to execute stage 'Misc configuration': Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute However, the file exists and is on a local filesystem: # ll /etc/pki/ovirt-engine/ca.pem -rw-r--r--. 1 root root 4516 jun 24 2015 /etc/pki/ovirt-engine/ca.pem Can someone shed some light about why is this failing and how to solve it, please? Thanks.
On Tue, Nov 14, 2023 at 10:49 AM <nicolas@devels.es> wrote:
Hi,
We're running oVirt 4.5.4, recently we got this alert:
Engine's certification is about to expire at 2023-11-19. Please renew the engine's certification.
So I'm trying to run:
engine-setup --offline
However, it fails with the following error:
[ INFO ] Upgrading CA [ INFO ] Renewing engine certificate [ ERROR ] Failed to execute stage 'Misc configuration': Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute
Digging into the logs I can see this:
2023-11-14 08:36:22,848+0000 DEBUG otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca plugin.execute:926 execute-output: ('/usr/share/ovirt-engine/bin/pki-enroll- pkcs12.sh', '--name=engine', '--password=**FILTERED**', '--subject=/C=US/O=stic.ull.es/CN=fqdn.es', '--san=DNS:fqdn.es', '--keep-key') stderr: Ignoring -days; not generating a certificate /etc/pki/ovirt-engine/ca.pem is not on a local filesystem Cannot sign request
2023-11-14 08:36:22,849+0000 DEBUG otopi.context context._executeMethod:145 method exception Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/otopi/context.py", line 132, in _executeMethod method['method']() File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
line 753, in _miscUpgrade self._enrollCertificates(True, uninstall_files) File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
line 360, in _enrollCertificates shortLife=entry['shortLife'], File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
line 250, in _enrollCertificate + (('--days=398',) if shortLife else ()) File "/usr/lib/python3.6/site-packages/otopi/plugin.py", line 931, in execute command=args[0], RuntimeError: Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute 2023-11-14 08:36:22,852+0000 ERROR otopi.context context._executeMethod:154 Failed to execute stage 'Misc configuration': Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute
However, the file exists and is on a local filesystem:
# ll /etc/pki/ovirt-engine/ca.pem -rw-r--r--. 1 root root 4516 jun 24 2015 /etc/pki/ovirt-engine/ca.pem
This does not prove that it's on a local filesystem - can be on nfs, and nfs locking is sometimes problematic, so we prevented that. See pki-enroll-request.sh.
Can someone shed some light about why is this failing and how to solve it, please?
What output do you get for: df -l /etc/pki/ovirt-engine/ca.pem ? Best regards, -- Didi
Hi Didi, Thanks for the reply. Finally solved it by exporting LANG=C in the shell before running the command. Seems that the "pki-enroll-request.sh" does this check: LOCK="${PKIDIR}/${CA_FILE}".pem df -l "${LOCK}" 2> /dev/null | grep -q "File" || die "${LOCK} is not on a local filesystem" However, if LANG is a different language than C, the output will vary and the grep command will return empty. It's working now. Thanks. El 2023-11-14 09:12, Yedidyah Bar David escribió:
On Tue, Nov 14, 2023 at 10:49 AM <nicolas@devels.es> wrote:
Hi,
We're running oVirt 4.5.4, recently we got this alert:
Engine's certification is about to expire at 2023-11-19. Please renew the engine's certification.
So I'm trying to run:
engine-setup --offline
However, it fails with the following error:
[ INFO ] Upgrading CA [ INFO ] Renewing engine certificate [ ERROR ] Failed to execute stage 'Misc configuration': Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute
Digging into the logs I can see this:
2023-11-14 08:36:22,848+0000 DEBUG otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca [1] plugin.execute:926 execute-output: ('/usr/share/ovirt-engine/bin/pki-enroll- pkcs12.sh', '--name=engine', '--password=**FILTERED**', '--subject=/C=US/O=stic.ull.es/CN=fqdn.es [2]', '--san=DNS:fqdn.es [3]', '--keep-key') stderr: Ignoring -days; not generating a certificate /etc/pki/ovirt-engine/ca.pem is not on a local filesystem Cannot sign request
2023-11-14 08:36:22,849+0000 DEBUG otopi.context context._executeMethod:145 method exception Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/otopi/context.py", line 132, in _executeMethod method['method']() File
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
line 753, in _miscUpgrade self._enrollCertificates(True, uninstall_files) File
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
line 360, in _enrollCertificates shortLife=entry['shortLife'], File
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
line 250, in _enrollCertificate + (('--days=398',) if shortLife else ()) File "/usr/lib/python3.6/site-packages/otopi/plugin.py", line 931, in execute command=args[0], RuntimeError: Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute 2023-11-14 08:36:22,852+0000 ERROR otopi.context context._executeMethod:154 Failed to execute stage 'Misc configuration': Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to
execute
However, the file exists and is on a local filesystem:
# ll /etc/pki/ovirt-engine/ca.pem -rw-r--r--. 1 root root 4516 jun 24 2015 /etc/pki/ovirt-engine/ca.pem
This does not prove that it's on a local filesystem - can be on nfs, and nfs locking is sometimes problematic, so we prevented that. See pki-enroll-request.sh.
Can someone shed some light about why is this failing and how to solve it, please?
What output do you get for: df -l /etc/pki/ovirt-engine/ca.pem ?
Best regards,-- Didi
Links: ------ [1] http://otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca [2] http://stic.ull.es/CN=fqdn.es [3] http://fqdn.es
Hi, On Tue, Nov 14, 2023 at 11:31 AM <nicolas@devels.es> wrote:
Hi Didi,
Thanks for the reply.
Finally solved it by exporting LANG=C in the shell before running the command.
Seems that the "pki-enroll-request.sh" does this check:
LOCK="${PKIDIR}/${CA_FILE}".pem df -l "${LOCK}" 2> /dev/null | grep -q "File" || die "${LOCK} is not on a local filesystem"
However, if LANG is a different language than C, the output will vary and the grep command will return empty.
It's working now. Thanks.
Thanks for the update! You might want to push a patch to enforce the locale for the `df` command (e.g. 'LC_ALL=C df -l...'). There are a few such places scattered around the code, but nothing systematic - and I think we do want, in general, to have localized error messages, so can't do this "too-high" in the execution hierarchy. Best regards,
El 2023-11-14 09:12, Yedidyah Bar David escribió:
On Tue, Nov 14, 2023 at 10:49 AM <nicolas@devels.es> wrote:
Hi,
We're running oVirt 4.5.4, recently we got this alert:
Engine's certification is about to expire at 2023-11-19. Please renew the engine's certification.
So I'm trying to run:
engine-setup --offline
However, it fails with the following error:
[ INFO ] Upgrading CA [ INFO ] Renewing engine certificate [ ERROR ] Failed to execute stage 'Misc configuration': Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute
Digging into the logs I can see this:
2023-11-14 08:36:22,848+0000 DEBUG otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca [1] plugin.execute:926 execute-output: ('/usr/share/ovirt-engine/bin/pki-enroll- pkcs12.sh', '--name=engine', '--password=**FILTERED**', '--subject=/C=US/O=stic.ull.es/CN=fqdn.es [2]', '--san=DNS:fqdn.es [3]', '--keep-key') stderr: Ignoring -days; not generating a certificate /etc/pki/ovirt-engine/ca.pem is not on a local filesystem Cannot sign request
2023-11-14 08:36:22,849+0000 DEBUG otopi.context context._executeMethod:145 method exception Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/otopi/context.py", line 132, in _executeMethod method['method']() File
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
line 753, in _miscUpgrade self._enrollCertificates(True, uninstall_files) File
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
line 360, in _enrollCertificates shortLife=entry['shortLife'], File
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
line 250, in _enrollCertificate + (('--days=398',) if shortLife else ()) File "/usr/lib/python3.6/site-packages/otopi/plugin.py", line 931, in execute command=args[0], RuntimeError: Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute 2023-11-14 08:36:22,852+0000 ERROR otopi.context context._executeMethod:154 Failed to execute stage 'Misc configuration': Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to
execute
However, the file exists and is on a local filesystem:
# ll /etc/pki/ovirt-engine/ca.pem -rw-r--r--. 1 root root 4516 jun 24 2015 /etc/pki/ovirt-engine/ca.pem
This does not prove that it's on a local filesystem - can be on nfs, and nfs locking is sometimes problematic, so we prevented that. See pki-enroll-request.sh.
Can someone shed some light about why is this failing and how to solve it, please?
What output do you get for: df -l /etc/pki/ovirt-engine/ca.pem ?
Best regards,-- Didi
Links: ------ [1] http://otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca [2] http://stic.ull.es/CN=fqdn.es [3] http://fqdn.es
Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/YXTXJIEQRN2ZH7...
-- Didi
Hi Didi, Patch has been submitted at https://github.com/oVirt/ovirt-engine/pull/891. Thanks. El 2023-11-14 10:04, Yedidyah Bar David escribió:
Hi,
On Tue, Nov 14, 2023 at 11:31 AM <nicolas@devels.es> wrote:
Hi Didi,
Thanks for the reply.
Finally solved it by exporting LANG=C in the shell before running the command.
Seems that the "pki-enroll-request.sh" does this check:
LOCK="${PKIDIR}/${CA_FILE}".pem df -l "${LOCK}" 2> /dev/null | grep -q "File" || die "${LOCK} is not on a local filesystem"
However, if LANG is a different language than C, the output will vary and the grep command will return empty.
It's working now. Thanks.
Thanks for the update! You might want to push a patch to enforce the locale for the `df` command (e.g. 'LC_ALL=C df -l...').
There are a few such places scattered around the code, but nothing systematic - and I think we do want, in general, to have localized error messages, so can't do this "too-high" in the execution hierarchy.
Best regards,
El 2023-11-14 09:12, Yedidyah Bar David escribió:
On Tue, Nov 14, 2023 at 10:49 AM <nicolas@devels.es> wrote:
Hi,
We're running oVirt 4.5.4, recently we got this alert:
Engine's certification is about to expire at 2023-11-19. Please renew the engine's certification.
So I'm trying to run:
engine-setup --offline
However, it fails with the following error:
[ INFO ] Upgrading CA [ INFO ] Renewing engine certificate [ ERROR ] Failed to execute stage 'Misc configuration': Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute
Digging into the logs I can see this:
2023-11-14 08:36:22,848+0000 DEBUG otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca [1] [1] plugin.execute:926 execute-output: ('/usr/share/ovirt-engine/bin/pki-enroll- pkcs12.sh', '--name=engine', '--password=**FILTERED**', '--subject=/C=US/O=stic.ull.es/CN=fqdn.es [2] [2]', '--san=DNS:fqdn.es [3] [3]', '--keep-key') stderr: Ignoring -days; not generating a certificate /etc/pki/ovirt-engine/ca.pem is not on a local filesystem Cannot sign request
2023-11-14 08:36:22,849+0000 DEBUG otopi.context context._executeMethod:145 method exception Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/otopi/context.py", line 132, in _executeMethod method['method']() File
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
line 753, in _miscUpgrade self._enrollCertificates(True, uninstall_files) File
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
line 360, in _enrollCertificates shortLife=entry['shortLife'], File
"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
line 250, in _enrollCertificate + (('--days=398',) if shortLife else ()) File "/usr/lib/python3.6/site-packages/otopi/plugin.py", line 931, in execute command=args[0], RuntimeError: Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to
execute
2023-11-14 08:36:22,852+0000 ERROR otopi.context context._executeMethod:154 Failed to execute stage 'Misc configuration': Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to
execute
However, the file exists and is on a local filesystem:
# ll /etc/pki/ovirt-engine/ca.pem -rw-r--r--. 1 root root 4516 jun 24 2015 /etc/pki/ovirt-engine/ca.pem
This does not prove that it's on a local filesystem - can be on nfs, and nfs locking is sometimes problematic, so we prevented that. See pki-enroll-request.sh.
Can someone shed some light about why is this failing and how to solve it, please?
What output do you get for: df -l /etc/pki/ovirt-engine/ca.pem ?
Best regards,-- Didi
Links: ------ [1] http://otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca [2] http://stic.ull.es/CN=fqdn.es [3] http://fqdn.es
Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/YXTXJIEQRN2ZH7...
-- Didi
Links: ------ [1] http://otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca [2] http://stic.ull.es/CN=fqdn.es [3] http://fqdn.es
participants (2)
-
nicolas@devels.es -
Yedidyah Bar David