Hello! My ovirt host (4.5.5) certificate is about to expire (in 46 days, Jan 20, 2025). d.pankratiev@zabbix ~]$ echo | openssl s_client -servername ovirt1.gtc.local -connect XXX.XXX.XXX.XXX.XXX:9090 2>/dev/null | openssl x509 -noout -dates 2>/dev/null notBefore=Dec 22 05:27:04 2023 GMT notAfter=Jan 20 05:27:04 2025 GMT 1. I have migrated all VMs to another host 2. I put the host in maintenance mode (Managеment -> Maintenance) 3. Do enroll certificate (Installation -> Enroll Certificate) 4. Everything went successfully, without errors (Enrolling certificate for host ovirt1.gtc.local was completed successfully). But the certificate date did not change, still expire (after 46 days, Jan 20 2025). d.pankratiev@zabbix ~]$ echo | openssl s_client -servername ovirt1.gtc.local -connect XXX.XXX.XXX.XXX.XXX:9090 2>/dev/null | openssl x509 -noout -dates 2>/dev/null notBefore=Dec 22 05:27:04 2023 GMT notAfter=Jan 20 05:27:04 2025 GMT What did I do wrong? Is there anything else I need to do?
I mean the certificate that the browser sees. It is valid for 398 days and needs to be renewed once a year.
Hello, Denis! You should do # engine-setup --offline to update engine certificates -- Br Alexey -----Original Message----- From: Денис Панкратьев <pankratiev@gmail.com> Sent: Wednesday, December 4, 2024 3:23 PM To: users@ovirt.org Subject: [ovirt-users] Re: Enroll Certificate ***This letter was sent from external network.*** ***Это письмо отправлено из внешней сети.*** I mean the certificate that the browser sees. It is valid for 398 days and needs to be renewed once a year. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/X74TNKZGHBNLMC...
On Wed, Dec 4, 2024 at 1:43 PM Денис Панкратьев <pankratiev@gmail.com> wrote:
I mean the certificate that the browser sees. It is valid for 398 days and needs to be renewed once a year.
If you mean when you connect to the web admin portal through your browser, you have to renew certificates engine side. If you have a self hosted engine you have to put the environment in global maintenance first. Then, both on standalone engine and on self hosted engine environments, you have to run this as root on the engine server: engine-setup --offline The --offline is because you don't update any package in case there are any available. At the questions you should also see: Renew certificates? (Yes, No) [Yes]: and answer Yes The other ones you can accept default answer If you have a self hosted engine you have now to exit from global maintenance See also here: https://www.ovirt.org/documentation/administration_guide/index.html#chap-Ren... HIH, Gianluca
Figured it out. Cockpit self-signed certificate has been expire. Update it) Thank you all! Close the thread
Hi, Did you notice you are testing the cockpit certificate, not any oVirt related certificate? Any procedure to renew oVirt certificates will not touch the cockpit self-signed certificates. By default, the cockpit ssl certificate is automatically renewed before expiring and don't need to worry about it. Anyway, you can generate it manually using the /usr/libexec/cockpit-certificate-helper script. Marcos -----Original Message----- From: Денис Панкратьев <pankratiev@gmail.com> Sent: Wednesday, December 4, 2024 7:43 AM To: users@ovirt.org Subject: [External] : [ovirt-users] Enroll Certificate Hello! My ovirt host (4.5.5) certificate is about to expire (in 46 days, Jan 20, 2025). d.pankratiev@zabbix ~]$ echo | openssl s_client -servername ovirt1.gtc.local -connect XXX.XXX.XXX.XXX.XXX:9090 2>/dev/null | openssl x509 -noout -dates 2>/dev/null notBefore=Dec 22 05:27:04 2023 GMT notAfter=Jan 20 05:27:04 2025 GMT 1. I have migrated all VMs to another host 2. I put the host in maintenance mode (Managеment -> Maintenance) 3. Do enroll certificate (Installation -> Enroll Certificate) 4. Everything went successfully, without errors (Enrolling certificate for host ovirt1.gtc.local was completed successfully). But the certificate date did not change, still expire (after 46 days, Jan 20 2025). d.pankratiev@zabbix ~]$ echo | openssl s_client -servername ovirt1.gtc.local -connect XXX.XXX.XXX.XXX.XXX:9090 2>/dev/null | openssl x509 -noout -dates 2>/dev/null notBefore=Dec 22 05:27:04 2023 GMT notAfter=Jan 20 05:27:04 2025 GMT What did I do wrong? Is there anything else I need to do? _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://urldefense.com/v3/__https://www.ovirt.org/privacy-policy.html__;!!AC... oVirt Code of Conduct: https://urldefense.com/v3/__https://www.ovirt.org/community/about/community-... List Archives: https://urldefense.com/v3/__https://lists.ovirt.org/archives/list/users@ovir...
participants (5)
-
Denis Denis -
Gianluca Cecchi -
Marcos Sungaila -
Valkov, Alexey -
Денис Панкратьев