Hi, On Mon, December 7, 2020 4:02 pm, Derek Atkins wrote:
Hi Michal,
On Mon, December 7, 2020 11:43 am, Michal Skrivanek wrote:
[snip] And for the record, after putting the new certificates into place by hand, just restarting a VM was sufficient to get Spice to pull in the new cert(s). So, technically, it LOOKS like I don't have to reboot the whole system (although I plan to do that tonight) -- I could just shutdown and re-run each VM.
HTH, michal
Thank you for all your support and everything you do for this project, Michal. We very much appreciate it!
For the record, I rebooted the host last night and once everything came back, the new certs were all in place and everything was happy.... Except for the fact that my host cert does not have a SAN (SubjectAltName) so the engine is *still* complaining about it. See my other email about that. FYI, here are the commands I used to refresh everything (modulo restarting everything): set my_date="$(date +"%Y%m%d%H%M%S")" ## On the ENGINE, rebuild the CA Cert: cp -p /etc/pki/ovirt-engine/private/ca.pem /etc/pki/ovirt-engine/private/ca.pem.$my_date cp -p /etc/pki/ovirt-engine/ca.pem{,.$my_date} openssl x509 -signkey /etc/pki/ovirt-engine/private/ca.pem -in /etc/pki/ovirt-engine/ca.pem -out /etc/pki/ovirt-engine/ca.pem.new -days 3650 -sha256 openssl x509 -in /etc/pki/ovirt-engine/ca.pem.new -text > /etc/pki/ovirt-engine/ca.pem.new.full mv /etc/pki/ovirt-engine/ca.pem.new.full /etc/pki/ovirt-engine/ca.pem mv /etc/pki/ovirt-engine/certs/ca.der{,.$my_date} cp -p /etc/pki/ovirt-engine/ca.pem.new /etc/pki/ovirt-engine/certs/ca.der # On ovirt host, create a CSR: # openssl x509 -x509toreq -in /etc/pki/libvirt/clientcert.pem -out /tmp/HOST.csr -signkey /etc/pki/libvirt/private/clientkey.pem mv /etc/pki/ovirt-engine/certs/host.na.me.cer{,.$my_date} mv /etc/pki/ovirt-engine/requests/host.na.me.req{,.$my_date} # copy new CSR into place on the engine: # /etc/pki/ovirt-engine/requests/host.na.me.req # and sign it: /usr/share/ovirt-engine/bin/pki-enroll-request.sh --name=host.na.me # NB -- adding --san results in an error: --san=host.na.me # copy new Host cert from /etc/pki/ovirt-engine/certs/host.na.me.cer # to host:new_cert # and copy CA cert to host:cacert.pem # ON OVIRT Host: mv /etc/pki/libvirt/clientcert.pem{,.$my_date} mv /etc/pki/vdsm/certs/vdsmcert.pem{,.$my_date} mv /etc/pki/vdsm/libvirt-spice/server-cert.pem{,.$my_date} cp -p new_cert /etc/pki/libvirt/clientcert.pem cp -p new_cert /etc/pki/vdsm/certs/vdsmcert.pem cp -p new_cert /etc/pki/vdsm/libvirt-spice/server-cert.pem chown root:kvm /etc/pki/libvirt/clientcert.pem /etc/pki/vdsm/certs/vdsmcert.pem /etc/pki/vdsm/libvirt-spice/server-cert.pem # # Copy new CA cert into place on Host: mv /etc/pki/CA/cacert.pem{,$my_date} cp -p cacert.pem /etc/pki/CA/cacert.pem chgrp kvm /etc/pki/CA/cacert.pem mv /etc/pki/vdsm/certs/cacert.pem{,.$my_date} mv /etc/pki/vdsm/libvirt-spice/ca-cert.pem{,.$my_date} mv /etc/pki/ovirt-engine/ca.pem{,.$my_date} cp -p /etc/pki/CA/cacert.pem /etc/pki/vdsm/certs/cacert.pem cp -p /etc/pki/CA/cacert.pem /etc/pki/vdsm/libvirt-spice/ca-cert.pem cp -p /etc/pki/CA/cacert.pem /etc/pki/ovirt-engine/ca.pem At this point I shut down all VMs, rebooted the host, and restarted all the VMs and everything came back happy (except for the lack of the SubjectAltName). Also note that you will need to remove the trusted cert from your browser(s) and re-add the new CA cert -- otherwise you will get a browser error complaining about the change in certificate from the same Issuer and with the same Serial#. -derek -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant