To continue the troubleshooting, I believe there is mutual SSL between ovirt-engine and host so I think what I am missing is to put this new cert for ovirt-engine to use it as client cert auth. But where to put it? I noticed that generating the cert does not put it in /etc/pki/ovirt-engine/certs altho I am not sure if that is significant or not. I tried to manually replace the cert there named hostname.cer but it doesn't do anything. Where do host certs need to be stored on the ovirt-engine side? I also updated the libvirt-migrate cert which has it's own key and different CA but that didn't make a difference. Best regards On 10/03/2023 05:13, cen wrote: > Hi > > Our VDSM certs have expired, both hosts are unassigned and can't be > put into maintenance from UI. > > vdsm-client is not working, times out even with --insecure flag. Does > host and port need to be specified when run locally or should defaults > work? > > > Error in console events is: Get Host Capabilities Failed: PKIX path > validation failed... > > > I followed a RHV guide for this exact situation and generated new vdsm > certificate using the ovirt-engine CA. > > The new cert seems identical to the old one, everything matches > (algos, extensions, CA, CN, SAN etc) just new date. > > > After restarting libvirtd and vdsmd on the host with new cert in place > the host is still not reachable. > > However, error message is now slightly different: > > get Host Capabilities failed: Received fatal error: certificate_expired > > > Cert was replaced in the following locations: > > /etc/pki/vdsm/certs/vdsmcert.pem > > /etc/pki/vdsm/libvirt-spice/server-cert.pem > > /etc/pki/libvirt/clientcert.pem > > > Is there another location missing? What else can I try? > > > All help appreciated in advance >

Yes, that is the exact guide I followed. I can now actually use vdsm-client on each host after cert swap but ovirt-engine still can't establish connection. I had to manually generate the apache certs to get into the UI console at the beginning and that was successful. Is there a specific cert that ovirt-engine uses for mTLS handshahe? On 10/03/2023 07:54, Patrick Chiang wrote:

I did not but I finally found the issue, what a ride this was.. After updating keys/engine.p12 hosts finally showed up. While there are probably more certs outdated and some parts not working now I can finally do regular enrollments. I was right all along, the auth cert was causing the problem, I just had to find it. Unfortunately zero docs on engine.p12 so it was all deduction and luck in the end. On 10/03/2023 11:41, Patrick Chiang wrote: