Failed to synchronize networks of Provider ovirt-provider-ovn

Hi, After upgrading to 4.2.1 I have problems with ovn provider. I'm getting "Failed to synchronize networks of Provider ovirt-provider-ovn." I use custom SSL certificate in apache and I guess this is the reason. I've tried to update ovirt-provider-ovn.conf with [OVIRT] #ovirt-ca-file=/etc/pki/ovirt-engine/ca.pem ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem but still no go Any tips on this? thanks G

On Fri, 16 Mar 2018 12:46:13 +0200 Kapetanakis Giannis <bilias@edu.physics.uoc.gr> wrote:
Hi,
After upgrading to 4.2.1 I have problems with ovn provider. I'm getting "Failed to synchronize networks of Provider ovirt-provider-ovn."
I use custom SSL certificate in apache and I guess this is the reason.
I've tried to update ovirt-provider-ovn.conf with [OVIRT] #ovirt-ca-file=/etc/pki/ovirt-engine/ca.pem ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem
but still no go
Any tips on this?
thanks
G _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Would you share the lines in engine.log produced by clicking the "Test" button in the "Edit Provider" dialog? On Clicking the test button, are you asked about "Import provider certificate"?

On 16/03/18 15:21, Dominik Holler wrote:
On Fri, 16 Mar 2018 12:46:13 +0200 Kapetanakis Giannis <bilias@edu.physics.uoc.gr> wrote:
Hi,
After upgrading to 4.2.1 I have problems with ovn provider. I'm getting "Failed to synchronize networks of Provider ovirt-provider-ovn."
I use custom SSL certificate in apache and I guess this is the reason.
I've tried to update ovirt-provider-ovn.conf with [OVIRT] #ovirt-ca-file=/etc/pki/ovirt-engine/ca.pem ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem
but still no go
Would you share the lines in engine.log produced by clicking the "Test" button in the "Edit Provider" dialog? On Clicking the test button, are you asked about "Import provider certificate"?
I get ok in test: Test succeeded, managed to access provider. 2018-03-16 17:35:20,024+02 INFO [org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand] (default task-28) [9920f622-b878-45e1-a421-e76c0ab23470] Running command: TestProviderConnectivityCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group CREATE_STORAGE_POOL with role type ADMIN However a little bit later: ovirt-provider-ovn.log: 2018-03-16 17:37:27,827 requests.packages.urllib3.connectionpool Starting new HTTPS connection (1): engine-host 2018-03-16 17:37:27,827 requests.packages.urllib3.connectionpool Starting new HTTPS connection (1): engine-host 2018-03-16 17:37:27,832 root [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) Traceback (most recent call last): File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 131, in _handle_request method, path_parts, content) File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 175, in handle_request return self.call_response_handler(handler, content, parameters) File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in call_response_handler return response_handler(content, parameters) File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py", line 62, in post_tokens user_password=user_password) File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 26, in create_token return auth.core.plugin.create_token(user_at_domain, user_password) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/plugin.py", line 48, in create_token timeout=self._timeout()) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75, in create_token username, password, engine_url, ca_file, timeout) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 91, in _get_sso_token timeout=timeout File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 54, in wrapper response = func(*args, **kwargs) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 47, in wrapper raise BadGateway(e) BadGateway: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) and in engine log: 2018-03-16 17:37:27,834+02 ERROR [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-27) [621c2b23] Command 'org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand' failed: EngineException: (Failed with error PROVIDER_FAILURE and code 5050) 2018-03-16 17:37:27,850+02 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (EE-ManagedThreadFactory-engineScheduled-Thread-27) [621c2b23] EVENT_ID: PROVIDER_SYNCHRONIZED_FAILED(216), Failed to synchronize networks of Provider ovirt-provider-ovn. So the engine can talk with ovn but not the other way around as I understand. I think it might have to do with [SSL] settings of ovirt-provider-ovn.conf G

On 16/03/18 17:40, Kapetanakis Giannis wrote:
On 16/03/18 15:21, Dominik Holler wrote:
On Fri, 16 Mar 2018 12:46:13 +0200 Kapetanakis Giannis <bilias@edu.physics.uoc.gr> wrote:
Hi,
After upgrading to 4.2.1 I have problems with ovn provider. I'm getting "Failed to synchronize networks of Provider ovirt-provider-ovn."
I use custom SSL certificate in apache and I guess this is the reason.
I've tried to update ovirt-provider-ovn.conf with [OVIRT] #ovirt-ca-file=/etc/pki/ovirt-engine/ca.pem ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem
but still no go
Would you share the lines in engine.log produced by clicking the "Test" button in the "Edit Provider" dialog? On Clicking the test button, are you asked about "Import provider certificate"?
SORRY wrong provider. It asks for the cert. Failed to communicate with the external provider, see log for additional details. 2018-03-16 17:44:08,262+02 INFO [org.ovirt.engine.core.bll.provider.ImportProviderCertificateCommand] (default task-52) [4731d25d-fce3-4408-99ea-8f9d1b5ee5b6] Running command: ImportProviderCertificateCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group CREATE_STORAGE_POOL with role type ADMIN 2018-03-16 17:44:08,275+02 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-52) [4731d25d-fce3-4408-99ea-8f9d1b5ee5b6] EVENT_ID: PROVIDER_CERTIFICATE_IMPORTED(213), Certificate for provider ovirt-provider-ovn was imported. (User: admin@internal) 2018-03-16 17:44:08,302+02 INFO [org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand] (default task-44) [f4b2c57b-60c7-4ef9-a59f-0c5b22fa0356] Running command: TestProviderConnectivityCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group CREATE_STORAGE_POOL with role type ADMIN 2018-03-16 17:44:08,360+02 ERROR [org.ovirt.engine.core.bll.provider.network.openstack.BaseNetworkProviderProxy] (default task-44) [f4b2c57b-60c7-4ef9-a59f-0c5b22fa0356] Bad Gateway (OpenStack response error code: 502) 2018-03-16 17:44:08,360+02 ERROR [org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand] (default task-44) [f4b2c57b-60c7-4ef9-a59f-0c5b22fa0356] Command 'org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand' failed: EngineException: (Failed with error PROVIDER_FAILURE and code 5050) and in provider log: 2018-03-16 17:45:33,961 requests.packages.urllib3.connectionpool Starting new HTTPS connection (1): engine-host 2018-03-16 17:45:33,961 requests.packages.urllib3.connectionpool Starting new HTTPS connection (1): engine-host 2018-03-16 17:45:33,966 root [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) Traceback (most recent call last): File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 131, in _handle_request method, path_parts, content) File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 175, in handle_request return self.call_response_handler(handler, content, parameters) File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in call_response_handler return response_handler(content, parameters) File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py", line 62, in post_tokens user_password=user_password) File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 26, in create_token return auth.core.plugin.create_token(user_at_domain, user_password) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/plugin.py", line 48, in create_token timeout=self._timeout()) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75, in create_token username, password, engine_url, ca_file, timeout) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 91, in _get_sso_token timeout=timeout File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 54, in wrapper response = func(*args, **kwargs) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 47, in wrapper raise BadGateway(e) BadGateway: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

On Fri, 16 Mar 2018 17:46:36 +0200 Kapetanakis Giannis <bilias@edu.physics.uoc.gr> wrote:
On 16/03/18 17:40, Kapetanakis Giannis wrote:
On 16/03/18 15:21, Dominik Holler wrote:
On Fri, 16 Mar 2018 12:46:13 +0200 Kapetanakis Giannis <bilias@edu.physics.uoc.gr> wrote:
Hi,
After upgrading to 4.2.1 I have problems with ovn provider. I'm getting "Failed to synchronize networks of Provider ovirt-provider-ovn."
I use custom SSL certificate in apache and I guess this is the reason.
I've tried to update ovirt-provider-ovn.conf with [OVIRT] #ovirt-ca-file=/etc/pki/ovirt-engine/ca.pem ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem
but still no go
Would you share the lines in engine.log produced by clicking the "Test" button in the "Edit Provider" dialog? On Clicking the test button, are you asked about "Import provider certificate"?
SORRY wrong provider.
It asks for the cert. Failed to communicate with the external provider, see log for additional details.
2018-03-16 17:44:08,262+02 INFO [org.ovirt.engine.core.bll.provider.ImportProviderCertificateCommand] (default task-52) [4731d25d-fce3-4408-99ea-8f9d1b5ee5b6] Running command: ImportProviderCertificateCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group CREATE_STORAGE_POOL with role type ADMIN 2018-03-16 17:44:08,275+02 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-52) [4731d25d-fce3-4408-99ea-8f9d1b5ee5b6] EVENT_ID: PROVIDER_CERTIFICATE_IMPORTED(213), Certificate for provider ovirt-provider-ovn was imported. (User: admin@internal) 2018-03-16 17:44:08,302+02 INFO [org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand] (default task-44) [f4b2c57b-60c7-4ef9-a59f-0c5b22fa0356] Running command: TestProviderConnectivityCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group CREATE_STORAGE_POOL with role type ADMIN 2018-03-16 17:44:08,360+02 ERROR [org.ovirt.engine.core.bll.provider.network.openstack.BaseNetworkProviderProxy] (default task-44) [f4b2c57b-60c7-4ef9-a59f-0c5b22fa0356] Bad Gateway (OpenStack response error code: 502) 2018-03-16 17:44:08,360+02 ERROR [org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand] (default task-44) [f4b2c57b-60c7-4ef9-a59f-0c5b22fa0356] Command 'org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand' failed: EngineException: (Failed with error PROVIDER_FAILURE and code 5050)
and in provider log:
2018-03-16 17:45:33,961 requests.packages.urllib3.connectionpool Starting new HTTPS connection (1): engine-host 2018-03-16 17:45:33,961 requests.packages.urllib3.connectionpool Starting new HTTPS connection (1): engine-host 2018-03-16 17:45:33,966 root [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) Traceback (most recent call last): File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 131, in _handle_request method, path_parts, content) File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 175, in handle_request return self.call_response_handler(handler, content, parameters) File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in call_response_handler return response_handler(content, parameters) File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py", line 62, in post_tokens user_password=user_password) File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 26, in create_token return auth.core.plugin.create_token(user_at_domain, user_password) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/plugin.py", line 48, in create_token timeout=self._timeout()) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75, in create_token username, password, engine_url, ca_file, timeout) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 91, in _get_sso_token timeout=timeout File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 54, in wrapper response = func(*args, **kwargs) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 47, in wrapper raise BadGateway(e) BadGateway: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
Thanks. Yes, the ovirt-provider-ovn refuses to connect to ovirt-engine for authentication because ovirt-provider-ovn does not trust the ssl-certificate and propagates this as the BadGateway error. Please not that engine-setup creates the file /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf which overwrites the default values from /etc/ovirt-provider-ovn/ovirt-provider-ovn.conf If you want to check if the referenced /etc/pki/ovirt-engine/apache-ca.pem is correct, you can use the following python snippet: import requests response = requests.get('https://ENGINE_FQDN/', verify='/etc/pki/ovirt-engine/apache-ca.pem') assert response.status_code == 200 Does this help to solve the issue?

On 16/03/18 18:40, Dominik Holler wrote:
Thanks. Yes, the ovirt-provider-ovn refuses to connect to ovirt-engine for authentication because ovirt-provider-ovn does not trust the ssl-certificate and propagates this as the BadGateway error.
Please not that engine-setup creates the file /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf which overwrites the default values from /etc/ovirt-provider-ovn/ovirt-provider-ovn.conf
Thanks, I didn't notice the conf.d dir. Changing ovirt-ca-file there fixed it regards, G

On 17/03/18 01:20, Kapetanakis Giannis wrote:
On 16/03/18 18:40, Dominik Holler wrote:
Thanks. Yes, the ovirt-provider-ovn refuses to connect to ovirt-engine for authentication because ovirt-provider-ovn does not trust the ssl-certificate and propagates this as the BadGateway error.
Please not that engine-setup creates the file /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf which overwrites the default values from /etc/ovirt-provider-ovn/ovirt-provider-ovn.conf
Thanks,
I didn't notice the conf.d dir. Changing ovirt-ca-file there fixed it
regards,
G
In advance, it would make sense to change the default to /etc/pki/ovirt-engine/apache-ca.pem since by default it's a symlink to ca.pem (which is now the default) So default/custom cert would all work G

I have a same issue with OVN provider and SSL, but certificate changes not helps to resolve it. I use following https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.2/htm... to replace my cert, and after reboot get this error. ovirt-ca-file= is a same SSL file which use WebUI. I restart ovirt-provider-ovn, i restart engine, i restart everything what i can restart. Nothing helps... Logs below. [root@engine ~]# tail -n 50 /var/log/ovirt-provider-ovn.log 2018-09-12 14:10:23,828 root [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) Traceback (most recent call last): File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 133, in _handle_request method, path_parts, content File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 175, in handle_request return self.call_response_handler(handler, content, parameters) File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in call_response_handler return response_handler(content, parameters) File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py", line 62, in post_tokens user_password=user_password) File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 26, in create_token return auth.core.plugin.create_token(user_at_domain, user_password) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/plugin.py", line 48, in create_token timeout=self._timeout()) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75, in create_token username, password, engine_url, ca_file, timeout) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 91, in _get_sso_token timeout=timeout File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 54, in wrapper response = func(*args, **kwargs) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 47, in wrapper raise BadGateway(e) BadGateway: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) [root@engine ~]# tail -n 20 /var/log/ovirt-engine/engine.log 2018-09-12 14:10:23,773+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-47) [316db685] Lock Acquired to object 'EngineLock:{exclusiveLocks='[14e4fb72-9764-4757-b37d-4d487995571a=PROVIDER]', sharedLocks=''}' 2018-09-12 14:10:23,778+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-47) [316db685] Running command: SyncNetworkProviderCommand internal: true. 2018-09-12 14:10:23,836+03 ERROR [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-47) [316db685] Command 'org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand' failed: EngineException: (Failed with error Bad Gateway and code 5050) 2018-09-12 14:10:23,837+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-47) [316db685] Lock freed to object 'EngineLock:{exclusiveLocks='[14e4fb72-9764-4757-b37d-4d487995571a=PROVIDER]', sharedLocks=''}' 2018-09-12 14:14:12,477+03 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-6) [] User admin@internal successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access 2018-09-12 14:14:12,587+03 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-6) [1bf1b763] Running command: CreateUserSessionCommand internal: false. 2018-09-12 14:14:12,628+03 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-6) [1bf1b763] EVENT_ID: USER_VDC_LOGIN(30), User admin@internal-authz connecting from '10.0.3.61' using session 's8jAm7BUJGlicthm6yZBA3CUM8QpRdtwFaK3M/IppfhB3fHFB9gmNf0cAlbl1xIhcJ2WX+ww7e71Ri+MxJSsIg==' logged in. 2018-09-12 14:14:30,972+03 INFO [org.ovirt.engine.core.bll.provider.ImportProviderCertificateCommand] (default task-6) [ee3cc8a7-4485-4fdf-a0c2-e9d67b5cfcd3] Running command: ImportProviderCertificateCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group CREATE_STORAGE_POOL with role type ADMIN 2018-09-12 14:14:30,982+03 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-6) [ee3cc8a7-4485-4fdf-a0c2-e9d67b5cfcd3] EVENT_ID: PROVIDER_CERTIFICATE_IMPORTED(213), Certificate for provider ovirt-provider-ovn was imported. (User: admin@internal-authz) 2018-09-12 14:14:31,006+03 INFO [org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand] (default task-6) [a48d94ab-b0b2-42a2-a667-0525b4c652ea] Running command: TestProviderConnectivityCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group CREATE_STORAGE_POOL with role type ADMIN 2018-09-12 14:14:31,058+03 ERROR [org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand] (default task-6) [a48d94ab-b0b2-42a2-a667-0525b4c652ea] Command 'org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand' failed: EngineException: (Failed with error Bad Gateway and code 5050) 2018-09-12 14:15:10,954+03 INFO [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService] (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread pool 'default' is using 0 threads out of 1, 5 threads waiting for tasks. 2018-09-12 14:15:10,954+03 INFO [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService] (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread pool 'engine' is using 0 threads out of 500, 16 threads waiting for tasks and 0 tasks in queue. 2018-09-12 14:15:10,954+03 INFO [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService] (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread pool 'engineScheduled' is using 0 threads out of 100, 100 threads waiting for tasks. 2018-09-12 14:15:10,954+03 INFO [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService] (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread pool 'engineThreadMonitoring' is using 1 threads out of 1, 0 threads waiting for tasks. 2018-09-12 14:15:10,954+03 INFO [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService] (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread pool 'hostUpdatesChecker' is using 0 threads out of 5, 2 threads waiting for tasks. 2018-09-12 14:15:23,843+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-61) [2455041f] Lock Acquired to object 'EngineLock:{exclusiveLocks='[14e4fb72-9764-4757-b37d-4d487995571a=PROVIDER]', sharedLocks=''}' 2018-09-12 14:15:23,849+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-61) [2455041f] Running command: SyncNetworkProviderCommand internal: true. 2018-09-12 14:15:23,900+03 ERROR [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-61) [2455041f] Command 'org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand' failed: EngineException: (Failed with error Bad Gateway and code 5050) 2018-09-12 14:15:23,901+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-61) [2455041f] Lock freed to object 'EngineLock:{exclusiveLocks='[14e4fb72-9764-4757-b37d-4d487995571a=PROVIDER]', sharedLocks=''}' [root@engine ~]# cat /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf # This file is automatically generated by engine-setup. Please do not edit manually [OVN REMOTE] ovn-remote=ssl:127.0.0.1:6641 [SSL] https-enabled=true ssl-cacert-file=/etc/pki/ovirt-engine/ca.pem ssl-cert-file=/etc/pki/ovirt-engine/certs/ovirt-provider-ovn.cer ssl-key-file=/etc/pki/ovirt-engine/keys/ovirt-provider-ovn.key.nopass [OVIRT] ovirt-sso-client-secret=Ms7Gw9qNT6IkXu7oA54tDmxaZDIukABV ovirt-host=https://engine.set.local:443 ovirt-sso-client-id=ovirt-provider-ovn ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem [PROVIDER] provider-host=engine.set.local

On Wed, 12 Sep 2018 14:42:15 -0000 mail@set-pro.net wrote:
I have a same issue with OVN provider and SSL, but certificate changes not helps to resolve it. I use following https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.2/htm... to replace my cert, and after reboot get this error. ovirt-ca-file= is a same SSL file which use WebUI. I restart ovirt-provider-ovn, i restart engine, i restart everything what i can restart. Nothing helps...
Logs below.
[root@engine ~]# tail -n 50 /var/log/ovirt-provider-ovn.log 2018-09-12 14:10:23,828 root [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) Traceback (most recent call last): File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 133, in _handle_request method, path_parts, content File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 175, in handle_request return self.call_response_handler(handler, content, parameters) File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in call_response_handler return response_handler(content, parameters) File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py", line 62, in post_tokens user_password=user_password) File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 26, in create_token return auth.core.plugin.create_token(user_at_domain, user_password) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/plugin.py", line 48, in create_token timeout=self._timeout()) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75, in create_token username, password, engine_url, ca_file, timeout) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 91, in _get_sso_token timeout=timeout File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 54, in wrapper response = func(*args, **kwargs) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 47, in wrapper raise BadGateway(e) BadGateway: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
[root@engine ~]# tail -n 20 /var/log/ovirt-engine/engine.log 2018-09-12 14:10:23,773+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-47) [316db685] Lock Acquired to object 'EngineLock:{exclusiveLocks='[14e4fb72-9764-4757-b37d-4d487995571a=PROVIDER]', sharedLocks=''}' 2018-09-12 14:10:23,778+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-47) [316db685] Running command: SyncNetworkProviderCommand internal: true. 2018-09-12 14:10:23,836+03 ERROR [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-47) [316db685] Command 'org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand' failed: EngineException: (Failed with error Bad Gateway and code 5050) 2018-09-12 14:10:23,837+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-47) [316db685] Lock freed to object 'EngineLock:{exclusiveLocks='[14e4fb72-9764-4757-b37d-4d487995571a=PROVIDER]', sharedLocks=''}' 2018-09-12 14:14:12,477+03 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-6) [] User admin@internal successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access 2018-09-12 14:14:12,587+03 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-6) [1bf1b763] Running command: CreateUserSessionCommand internal: false. 2018-09-12 14:14:12,628+03 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-6) [1bf1b763] EVENT_ID: USER_VDC_LOGIN(30), User admin@internal-authz connecting from '10.0.3.61' using session 's8jAm7BUJGlicthm6yZBA3CUM8QpRdtwFaK3M/IppfhB3fHFB9gmNf0cAlbl1xIhcJ2WX+ww7e71Ri+MxJSsIg==' logged in. 2018-09-12 14:14:30,972+03 INFO [org.ovirt.engine.core.bll.provider.ImportProviderCertificateCommand] (default task-6) [ee3cc8a7-4485-4fdf-a0c2-e9d67b5cfcd3] Running command: ImportProviderCertificateCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group CREATE_STORAGE_POOL with role type ADMIN 2018-09-12 14:14:30,982+03 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-6) [ee3cc8a7-4485-4fdf-a0c2-e9d67b5cfcd3] EVENT_ID: PROVIDER_CERTIFICATE_IMPORTED(213), Certificate for provider ovirt-provider-ovn was imported. (User: admin@internal-authz) 2018-09-12 14:14:31,006+03 INFO [org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand] (default task-6) [a48d94ab-b0b2-42a2-a667-0525b4c652ea] Running command: TestProviderConnectivityCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group CREATE_STORAGE_POOL with role type ADMIN 2018-09-12 14:14:31,058+03 ERROR [org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand] (default task-6) [a48d94ab-b0b2-42a2-a667-0525b4c652ea] Command 'org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand' failed: EngineException: (Failed with error Bad Gateway and code 5050) 2018-09-12 14:15:10,954+03 INFO [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService] (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread pool 'default' is using 0 threads out of 1, 5 threads waiting for tasks. 2018-09-12 14:15:10,954+03 INFO [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService] (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread pool 'engine' is using 0 threads out of 500, 16 threads waiting for tasks and 0 tasks in queue. 2018-09-12 14:15:10,954+03 INFO [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService] (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread pool 'engineScheduled' is using 0 threads out of 100, 100 threads waiting for tasks. 2018-09-12 14:15:10,954+03 INFO [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService] (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread pool 'engineThreadMonitoring' is using 1 threads out of 1, 0 threads waiting for tasks. 2018-09-12 14:15:10,954+03 INFO [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService] (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread pool 'hostUpdatesChecker' is using 0 threads out of 5, 2 threads waiting for tasks. 2018-09-12 14:15:23,843+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-61) [2455041f] Lock Acquired to object 'EngineLock:{exclusiveLocks='[14e4fb72-9764-4757-b37d-4d487995571a=PROVIDER]', sharedLocks=''}' 2018-09-12 14:15:23,849+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-61) [2455041f] Running command: SyncNetworkProviderCommand internal: true. 2018-09-12 14:15:23,900+03 ERROR [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-61) [2455041f] Command 'org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand' failed: EngineException: (Failed with error Bad Gateway and code 5050) 2018-09-12 14:15:23,901+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-61) [2455041f] Lock freed to object 'EngineLock:{exclusiveLocks='[14e4fb72-9764-4757-b37d-4d487995571a=PROVIDER]', sharedLocks=''}'
[root@engine ~]# cat /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf # This file is automatically generated by engine-setup. Please do not edit manually [OVN REMOTE] ovn-remote=ssl:127.0.0.1:6641 [SSL] https-enabled=true ssl-cacert-file=/etc/pki/ovirt-engine/ca.pem ssl-cert-file=/etc/pki/ovirt-engine/certs/ovirt-provider-ovn.cer ssl-key-file=/etc/pki/ovirt-engine/keys/ovirt-provider-ovn.key.nopass [OVIRT] ovirt-sso-client-secret=Ms7Gw9qNT6IkXu7oA54tDmxaZDIukABV ovirt-host=https://engine.set.local:443 ovirt-sso-client-id=ovirt-provider-ovn ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem [PROVIDER] provider-host=engine.set.local
The config looks good. You can check if the webserver is using the cert the ovirt-provider-ovn is expecting by comparing the output of openssl s_client -connect engine.set.local:443 -servername ssotest \ -showcerts | openssl x509 -text -noout and cat /etc/pki/ovirt-engine/apache-ca.pem | openssl x509 -text -noout From a technical point of view, the provider uses the requests library, so that you can easily check if the provider would like a cert on command line by: python -c "import requests; \ print requests.get('https://engine.set.local', \ verify='/etc/pki/ovirt-engine/apache-ca.pem')"

I found what happens with OVN. The wrong contents of a /etc/pki/ovirt-engine/apache-ca.pem I update it with my root-CA cert file and get a success test: "Test succeeded, managed to access provider." Thank's to all reply!

Hello, I have a simmilar issue with ovirt-provider-ovn. But in my config I see: ovirt-sso-client-secret=to_be_set Where do I find / how do I generate this token? Thanks, Robert O'Kane On 09/12/2018 04:42 PM, mail@set-pro.net wrote:
I have a same issue with OVN provider and SSL, but certificate changes not helps to resolve it. I use following https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.2/htm... to replace my cert, and after reboot get this error. ovirt-ca-file= is a same SSL file which use WebUI. I restart ovirt-provider-ovn, i restart engine, i restart everything what i can restart. Nothing helps...
Logs below.
[root@engine ~]# tail -n 50 /var/log/ovirt-provider-ovn.log 2018-09-12 14:10:23,828 root [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) Traceback (most recent call last): File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 133, in _handle_request method, path_parts, content File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 175, in handle_request return self.call_response_handler(handler, content, parameters) File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in call_response_handler return response_handler(content, parameters) File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py", line 62, in post_tokens user_password=user_password) File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 26, in create_token return auth.core.plugin.create_token(user_at_domain, user_password) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/plugin.py", line 48, in create_token timeout=self._timeout()) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75, in create_token username, password, engine_url, ca_file, timeout) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 91, in _get_sso_token timeout=timeout File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 54, in wrapper response = func(*args, **kwargs) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 47, in wrapper raise BadGateway(e) BadGateway: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
[root@engine ~]# tail -n 20 /var/log/ovirt-engine/engine.log 2018-09-12 14:10:23,773+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-47) [316db685] Lock Acquired to object 'EngineLock:{exclusiveLocks='[14e4fb72-9764-4757-b37d-4d487995571a=PROVIDER]', sharedLocks=''}' 2018-09-12 14:10:23,778+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-47) [316db685] Running command: SyncNetworkProviderCommand internal: true. 2018-09-12 14:10:23,836+03 ERROR [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-47) [316db685] Command 'org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand' failed: EngineException: (Failed with error Bad Gateway and code 5050) 2018-09-12 14:10:23,837+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-47) [316db685] Lock freed to object 'EngineLock:{exclusiveLocks='[14e4fb72-9764-4757-b37d-4d487995571a=PROVIDER]', sharedLocks=''}' 2018-09-12 14:14:12,477+03 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-6) [] User admin@internal successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access 2018-09-12 14:14:12,587+03 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-6) [1bf1b763] Running command: CreateUserSessionCommand internal: false. 2018-09-12 14:14:12,628+03 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-6) [1bf1b763] EVENT_ID: USER_VDC_LOGIN(30), User admin@internal-authz connecting from '10.0.3.61' using session 's8jAm7BUJGlicthm6yZBA3CUM8QpRdtwFaK3M/IppfhB3fHFB9gmNf0cAlbl1xIhcJ2WX+ww7e71Ri+MxJSsIg==' logged in. 2018-09-12 14:14:30,972+03 INFO [org.ovirt.engine.core.bll.provider.ImportProviderCertificateCommand] (default task-6) [ee3cc8a7-4485-4fdf-a0c2-e9d67b5cfcd3] Running command: ImportProviderCertificateCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group CREATE_STORAGE_POOL with role type ADMIN 2018-09-12 14:14:30,982+03 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-6) [ee3cc8a7-4485-4fdf-a0c2-e9d67b5cfcd3] EVENT_ID: PROVIDER_CERTIFICATE_IMPORTED(213), Certificate for provider ovirt-provider-ovn was imported. (User: admin@internal-authz) 2018-09-12 14:14:31,006+03 INFO [org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand] (default task-6) [a48d94ab-b0b2-42a2-a667-0525b4c652ea] Running command: TestProviderConnectivityCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group CREATE_STORAGE_POOL with role type ADMIN 2018-09-12 14:14:31,058+03 ERROR [org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand] (default task-6) [a48d94ab-b0b2-42a2-a667-0525b4c652ea] Command 'org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand' failed: EngineException: (Failed with error Bad Gateway and code 5050) 2018-09-12 14:15:10,954+03 INFO [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService] (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread pool 'default' is using 0 threads out of 1, 5 threads waiting for tasks. 2018-09-12 14:15:10,954+03 INFO [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService] (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread pool 'engine' is using 0 threads out of 500, 16 threads waiting for tasks and 0 tasks in queue. 2018-09-12 14:15:10,954+03 INFO [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService] (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread pool 'engineScheduled' is using 0 threads out of 100, 100 threads waiting for tasks. 2018-09-12 14:15:10,954+03 INFO [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService] (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread pool 'engineThreadMonitoring' is using 1 threads out of 1, 0 threads waiting for tasks. 2018-09-12 14:15:10,954+03 INFO [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService] (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread pool 'hostUpdatesChecker' is using 0 threads out of 5, 2 threads waiting for tasks. 2018-09-12 14:15:23,843+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-61) [2455041f] Lock Acquired to object 'EngineLock:{exclusiveLocks='[14e4fb72-9764-4757-b37d-4d487995571a=PROVIDER]', sharedLocks=''}' 2018-09-12 14:15:23,849+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-61) [2455041f] Running command: SyncNetworkProviderCommand internal: true. 2018-09-12 14:15:23,900+03 ERROR [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-61) [2455041f] Command 'org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand' failed: EngineException: (Failed with error Bad Gateway and code 5050) 2018-09-12 14:15:23,901+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-61) [2455041f] Lock freed to object 'EngineLock:{exclusiveLocks='[14e4fb72-9764-4757-b37d-4d487995571a=PROVIDER]', sharedLocks=''}'
[root@engine ~]# cat /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf # This file is automatically generated by engine-setup. Please do not edit manually [OVN REMOTE] ovn-remote=ssl:127.0.0.1:6641 [SSL] https-enabled=true ssl-cacert-file=/etc/pki/ovirt-engine/ca.pem ssl-cert-file=/etc/pki/ovirt-engine/certs/ovirt-provider-ovn.cer ssl-key-file=/etc/pki/ovirt-engine/keys/ovirt-provider-ovn.key.nopass [OVIRT] ovirt-sso-client-secret=Ms7Gw9qNT6IkXu7oA54tDmxaZDIukABV ovirt-host=https://engine.set.local:443 ovirt-sso-client-id=ovirt-provider-ovn ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem [PROVIDER] provider-host=engine.set.local _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/Y3IK7XXW2VQQSX...
-- Robert O'Kane Systems Administrator Kunsthochschule für Medien Köln Peter-Welter-Platz 2 50676 Köln fon: +49(221)20189-223 fax: +49(221)20189-49223

On Thu, 13 Sep 2018 11:08:28 +0200 Robert O'Kane <okane@khm.de> wrote:
Hello,
I have a simmilar issue with ovirt-provider-ovn.
But in my config I see:
ovirt-sso-client-secret=to_be_set
Where do I find / how do I generate this token?
Usually engine-setup will generate an appropriate automatically. /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf. If you want to (or have to?) generate manually the client secrete, follow this steps: 1. Run /usr/share/ovirt-engine/bin/ovirt-register-sso-client-tool.sh with Client Id: ovirt-provider-ovn Client CA Certificate File Location: /etc/pki/ovirt-engine/certs/engine.cer Callback Prefix URL: https://<ENGINE_FQDN>:443/ovirt-engine/ 2. Use the SSO_CLIENT_SECRET from the outfile produced by the previous command in /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf 3. Restart ovirt-engine and ovirt-provider-ovn systemctl restart ovirt-engine systemctl restart ovirt-provider-ovn
Thanks,
Robert O'Kane
On 09/12/2018 04:42 PM, mail@set-pro.net wrote:
I have a same issue with OVN provider and SSL, but certificate changes not helps to resolve it. I use following https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.2/htm... to replace my cert, and after reboot get this error. ovirt-ca-file= is a same SSL file which use WebUI. I restart ovirt-provider-ovn, i restart engine, i restart everything what i can restart. Nothing helps...
Logs below.
[root@engine ~]# tail -n 50 /var/log/ovirt-provider-ovn.log 2018-09-12 14:10:23,828 root [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) Traceback (most recent call last): File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 133, in _handle_request method, path_parts, content File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 175, in handle_request return self.call_response_handler(handler, content, parameters) File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in call_response_handler return response_handler(content, parameters) File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py", line 62, in post_tokens user_password=user_password) File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 26, in create_token return auth.core.plugin.create_token(user_at_domain, user_password) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/plugin.py", line 48, in create_token timeout=self._timeout()) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75, in create_token username, password, engine_url, ca_file, timeout) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 91, in _get_sso_token timeout=timeout File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 54, in wrapper response = func(*args, **kwargs) File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 47, in wrapper raise BadGateway(e) BadGateway: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
[root@engine ~]# tail -n 20 /var/log/ovirt-engine/engine.log 2018-09-12 14:10:23,773+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-47) [316db685] Lock Acquired to object 'EngineLock:{exclusiveLocks='[14e4fb72-9764-4757-b37d-4d487995571a=PROVIDER]', sharedLocks=''}' 2018-09-12 14:10:23,778+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-47) [316db685] Running command: SyncNetworkProviderCommand internal: true. 2018-09-12 14:10:23,836+03 ERROR [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-47) [316db685] Command 'org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand' failed: EngineException: (Failed with error Bad Gateway and code 5050) 2018-09-12 14:10:23,837+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-47) [316db685] Lock freed to object 'EngineLock:{exclusiveLocks='[14e4fb72-9764-4757-b37d-4d487995571a=PROVIDER]', sharedLocks=''}' 2018-09-12 14:14:12,477+03 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-6) [] User admin@internal successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access 2018-09-12 14:14:12,587+03 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-6) [1bf1b763] Running command: CreateUserSessionCommand internal: false. 2018-09-12 14:14:12,628+03 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-6) [1bf1b763] EVENT_ID: USER_VDC_LOGIN(30), User admin@internal-authz connecting from '10.0.3.61' using session 's8jAm7BUJGlicthm6yZBA3CUM8QpRdtwFaK3M/IppfhB3fHFB9gmNf0cAlbl1xIhcJ2WX+ww7e71Ri+MxJSsIg==' logged in. 2018-09-12 14:14:30,972+03 INFO [org.ovirt.engine.core.bll.provider.ImportProviderCertificateCommand] (default task-6) [ee3cc8a7-4485-4fdf-a0c2-e9d67b5cfcd3] Running command: ImportProviderCertificateCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group CREATE_STORAGE_POOL with role type ADMIN 2018-09-12 14:14:30,982+03 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-6) [ee3cc8a7-4485-4fdf-a0c2-e9d67b5cfcd3] EVENT_ID: PROVIDER_CERTIFICATE_IMPORTED(213), Certificate for provider ovirt-provider-ovn was imported. (User: admin@internal-authz) 2018-09-12 14:14:31,006+03 INFO [org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand] (default task-6) [a48d94ab-b0b2-42a2-a667-0525b4c652ea] Running command: TestProviderConnectivityCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group CREATE_STORAGE_POOL with role type ADMIN 2018-09-12 14:14:31,058+03 ERROR [org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand] (default task-6) [a48d94ab-b0b2-42a2-a667-0525b4c652ea] Command 'org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand' failed: EngineException: (Failed with error Bad Gateway and code 5050) 2018-09-12 14:15:10,954+03 INFO [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService] (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread pool 'default' is using 0 threads out of 1, 5 threads waiting for tasks. 2018-09-12 14:15:10,954+03 INFO [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService] (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread pool 'engine' is using 0 threads out of 500, 16 threads waiting for tasks and 0 tasks in queue. 2018-09-12 14:15:10,954+03 INFO [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService] (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread pool 'engineScheduled' is using 0 threads out of 100, 100 threads waiting for tasks. 2018-09-12 14:15:10,954+03 INFO [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService] (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread pool 'engineThreadMonitoring' is using 1 threads out of 1, 0 threads waiting for tasks. 2018-09-12 14:15:10,954+03 INFO [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService] (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread pool 'hostUpdatesChecker' is using 0 threads out of 5, 2 threads waiting for tasks. 2018-09-12 14:15:23,843+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-61) [2455041f] Lock Acquired to object 'EngineLock:{exclusiveLocks='[14e4fb72-9764-4757-b37d-4d487995571a=PROVIDER]', sharedLocks=''}' 2018-09-12 14:15:23,849+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-61) [2455041f] Running command: SyncNetworkProviderCommand internal: true. 2018-09-12 14:15:23,900+03 ERROR [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-61) [2455041f] Command 'org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand' failed: EngineException: (Failed with error Bad Gateway and code 5050) 2018-09-12 14:15:23,901+03 INFO [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-61) [2455041f] Lock freed to object 'EngineLock:{exclusiveLocks='[14e4fb72-9764-4757-b37d-4d487995571a=PROVIDER]', sharedLocks=''}'
[root@engine ~]# cat /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf # This file is automatically generated by engine-setup. Please do not edit manually [OVN REMOTE] ovn-remote=ssl:127.0.0.1:6641 [SSL] https-enabled=true ssl-cacert-file=/etc/pki/ovirt-engine/ca.pem ssl-cert-file=/etc/pki/ovirt-engine/certs/ovirt-provider-ovn.cer ssl-key-file=/etc/pki/ovirt-engine/keys/ovirt-provider-ovn.key.nopass [OVIRT] ovirt-sso-client-secret=Ms7Gw9qNT6IkXu7oA54tDmxaZDIukABV ovirt-host=https://engine.set.local:443 ovirt-sso-client-id=ovirt-provider-ovn ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem [PROVIDER] provider-host=engine.set.local _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/Y3IK7XXW2VQQSX...
participants (4)
-
Dominik Holler
-
Kapetanakis Giannis
-
mail@set-pro.net
-
Robert O'Kane