Failed to read or parse '/etc/pki/ovirt-engine/keys/engine.p12'
Hi, I was trying to restore a oVirt Engine Backup into a new Hosted Engine appliance (as part of an upgrade), but this failed with the following error: --== PKI CONFIGURATION ==-- [WARNING] Failed to read or parse '/etc/pki/ovirt-engine/keys/engine.p12' Perhaps it was changed since last Setup. Error was: Error outputting keys and certificates 80EBCC44677F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0) It looks like this is related to openssl requiring legacy mode to use the old Engine cert/key. Is there any way to workaround this? Or would it be possible to repackage the existing PCKS#12 file with new encryption (on the old Engine)? Regards - Frank
Hi, what are 'source' and 'target' ovirt engine versions? Indeed, update key&certificate on old engine seems as good way forward It seems that https://myhomelab.gr/linux/2020/01/20/replacing_ovirt_ssl.html and/or https://rhv.bradmin.org/ovirt-engine/docs/Upgrade_Guide/Replacing_SHA-1_Cert... will solve it for you. BR, Konstantin Am 12.05.23, 12:50 schrieb "Frank Wall" <fw@moov.de <mailto:fw@moov.de>>: Hi, I was trying to restore a oVirt Engine Backup into a new Hosted Engine appliance (as part of an upgrade), but this failed with the following error: --== PKI CONFIGURATION ==-- [WARNING] Failed to read or parse '/etc/pki/ovirt-engine/keys/engine.p12' Perhaps it was changed since last Setup. Error was: Error outputting keys and certificates 80EBCC44677F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0) It looks like this is related to openssl requiring legacy mode to use the old Engine cert/key. Is there any way to workaround this? Or would it be possible to repackage the existing PCKS#12 file with new encryption (on the old Engine)? Regards - Frank _______________________________________________ Users mailing list -- users@ovirt.org <mailto:users@ovirt.org> To unsubscribe send an email to users-leave@ovirt.org <mailto:users-leave@ovirt.org> Privacy Statement: https://www.ovirt.org/privacy-policy.html <https://www.ovirt.org/privacy-policy.html> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ <https://www.ovirt.org/community/about/community-guidelines/> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org <mailto:users@ovirt.org>/message/YI647H7YWRHJKDXNP4DJDEHU4ZWKCHY2/
On 2023-05-12 15:34 Volenbovskyi, Konstantin wrote:
what are 'source' and 'target' ovirt engine versions?
I was attempting to perform a direct upgrade from 4.3.x to 4.5.4 (nightly). It was said to work properly and I've done this before already, so I wasn't expecting trouble. :)
Indeed, update key&certificate on old engine seems as good way forward It seems that https://myhomelab.gr/linux/2020/01/20/replacing_ovirt_ssl.html and/or https://rhv.bradmin.org/ovirt-engine/docs/Upgrade_Guide/Replacing_SHA-1_Cert... will solve it for you.
Neat, I've bookmarked these guides. Very useful, thanks! However, I found another way to make it work using the following steps: - downgraded ovirt-engine-appliance-4.5 from version 20230501063412.1.el9 (nightly) to 20221206125848.1.el9 (release) - answered "YES" to the setup question "Renew engine PKI on restore if needed" Due to time constraints I could not verify which of these steps did the trick, but the upgrade was successfully. Side note: I also had to downgrade ansible-core to 2.14.1, because version 2.14.2 lead to troubles in early stages of the `hosted-engine --deploy` setup process (a Python error: cannot import name 'Callable' from 'collections'). Regards - Frank
I remember having this issue trying to replace my dead centos8 hosted engine on to new physical host running centos9 stream. The issues was that rc2 is not supported in el9, no matter what, i used openssl to convert all all p12 in /etc/pki/ovirt-engine/keys to use aes instead.
participants (3)
-
- tineidae -
Frank Wall -
Volenbovskyi, Konstantin