Standalone Engine restore to Rocky Linux 9
Hello! There are a lot of errors regarding legacy cipher while restoring engine backup to RL9 during our migration to 4.5. 2025-04-22 08:35:48,773+0300 DEBUG otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca plugin.execute:923 execute-output: ('/usr/bin/openssl', 'pkcs12', '-in', '/etc/pki/ovirt-engine/keys/engine.p12', '-passin', 'pass:**FILTERED**', '-nokeys') stderr: Error outputting keys and certificates 00CE347D1F7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () RHEL/RL 9 disables the legacy provider for security reasons. What is the best way to solve this problem ? Should i just enable legacy provider in OpenSSL config or re-sign all certs with new ciper (where can i find more information about this) ? Thank you.
You should be able to just do: rm -f /etc/pki/ovirt-engine/keys/*.p12 And then rerun engine-setup. On 4/22/25 12:51, KSNull Zero wrote:
Hello! There are a lot of errors regarding legacy cipher while restoring engine backup to RL9 during our migration to 4.5.
2025-04-22 08:35:48,773+0300 DEBUG otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca plugin.execute:923 execute-output: ('/usr/bin/openssl', 'pkcs12', '-in', '/etc/pki/ovirt-engine/keys/engine.p12', '-passin', 'pass:**FILTERED**', '-nokeys') stderr: Error outputting keys and certificates 00CE347D1F7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
RHEL/RL 9 disables the legacy provider for security reasons.
What is the best way to solve this problem ? Should i just enable legacy provider in OpenSSL config or re-sign all certs with new ciper (where can i find more information about this) ? Thank you. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/DZ7FUYQZ3ZEEMW...
So far, so good. We restored engine config to RL9 successfully . But there is another problem arrived. engine-config does not working anymore: # engine-config -a Picked up JAVA_TOOL_OPTIONS: -Dcom.redhat.fips=false Index 1 out of bounds for length 1 Is there any way to fix this ?
By the way - engine-config does not work even on a new oVirt deployment from current nightly oVirt master snapshot. The error is the same: Index 1 out of bounds for length 1 Any clues ?
I have the same problem on CentOS Stream 9 using `hosted-engine --deploy`, see also my thread here: https://lists.ovirt.org/archives/list/users@ovirt.org/thread/HHXUVIDWBHUGP4O... Maybe Java version incompatibility? I have no idea actually...
Same issue here (I'd posted a comment on the thread Kevin started as well). I have some notes that indicate that things were working correctly with appliance RPM "ovirt-engine-appliance-4.5-20240606072424.el9.x86_64" (2024-June-6 nightly, tested on 2024-June-7). Unfortunately it looks like the nightly repo keeps only the last 10 builds and these were 2024-Aug-8 through 2024-Aug-14) so I cannot reproduce exactly that scenario. Based on some testing against the latest available nightly "ovirt-engine-appliance-4.5-20240817071039.1.el9.x86_64.rpm" (2024-Aug-18) the behaviour of engine-config changes after the "dnf update *" executed on the appliance VM during the build. Using "he_pause_before_engine_setup", I can confirm that engine-config --list states that there is no database available. Immediately after performing the dnf update, the same command fails with the "Index 1 out of bounds for length 1" error. I compared behaviour against the latest appliance release ("ovirt-engine-appliance-4.5-20231201120201.1.el9.x86_64.rpm", modified for the CS9 repos being moved to vault). In 20231201, we find: - at he_pause_before_engine_setup, 'engine-config --list' reports no database available. - after 'dnf update *', 'engine-config --list' reports no database available. - after engine-setup, 'engine-config --list' reports all key-values in the database. With the baseline behaviour from 20231201, it definitely looks like simply _updating_ packages on the most recent nightly appliance breaks engine-config. This seems weird to me - and it seems like some sort of change between 2024-June and today has introduced an issue. I am tempted to attach a Java debugger but I don't have any of the development toolchain for this project available. Does anyone know whether it is worthwhile troubleshooting at this level? Would there be someone who knows engine-config codebase well enough to take a look? There were a couple of recent changes as far as I can tell (79c665d and 9a9b4c6).
Good Evening - I posted a more lengthy reply on the "Barebone Hosted Engine Deployment fails" post but wanted to follow up on my comment here as well. I opened a bug here: https://github.com/oVirt/ovirt-engine/issues/1016 Some additional details on the other post: https://lists.ovirt.org/archives/list/users@ovirt.org/message/XM3UFONO7WJULN... BR, Dan
Following up - I can confirm that the following combination worked properly as of 2025-May-5 with the changes committed against the case linked in my comment above: oVirt Node: ovirt-node-ng-installer-4.5.6-2025031111.c9s.iso (latest available at the time of testing) oVirt Appliance: ovirt-engine-appliance-4.5-20240817071039.1.el9.x86_64.rpm (latest available at time of testing)
Wouldn't deleting the |.p12| files break the connection to existing oVirt nodes? I think the best approach is to export and re-sign the certificates before creating a backup (on old ovirt-engine). https://access.redhat.com/solutions/5047531 Best regards, Pavel On 22. 4. 25 13:12, Jean-Louis Dupond via Users wrote:
You should be able to just do: rm -f /etc/pki/ovirt-engine/keys/*.p12 And then rerun engine-setup.
On 4/22/25 12:51, KSNull Zero wrote:
Hello! There are a lot of errors regarding legacy cipher while restoring engine backup to RL9 during our migration to 4.5.
2025-04-22 08:35:48,773+0300 DEBUG otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca plugin.execute:923 execute-output: ('/usr/bin/openssl', 'pkcs12', '-in', '/etc/pki/ovirt-engine/keys/engine.p12', '-passin', 'pass:**FILTERED**', '-nokeys') stderr: Error outputting keys and certificates 00CE347D1F7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
RHEL/RL 9 disables the legacy provider for security reasons.
What is the best way to solve this problem ? Should i just enable legacy provider in OpenSSL config or re-sign all certs with new ciper (where can i find more information about this) ? Thank you. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/DZ7FUYQZ3ZEEMW...
Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/NIQ463APRAAJ45...
No this doesn't :) Had to do it multiple times already. The setup just regenerates them, so its quite easy option. On 4/23/25 15:21, Pavel Šipoš wrote:
Wouldn't deleting the |.p12| files break the connection to existing oVirt nodes?
I think the best approach is to export and re-sign the certificates before creating a backup (on old ovirt-engine). https://access.redhat.com/solutions/5047531
Best regards, Pavel
On 22. 4. 25 13:12, Jean-Louis Dupond via Users wrote:
You should be able to just do: rm -f /etc/pki/ovirt-engine/keys/*.p12 And then rerun engine-setup.
On 4/22/25 12:51, KSNull Zero wrote:
Hello! There are a lot of errors regarding legacy cipher while restoring engine backup to RL9 during our migration to 4.5.
2025-04-22 08:35:48,773+0300 DEBUG otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca plugin.execute:923 execute-output: ('/usr/bin/openssl', 'pkcs12', '-in', '/etc/pki/ovirt-engine/keys/engine.p12', '-passin', 'pass:**FILTERED**', '-nokeys') stderr: Error outputting keys and certificates 00CE347D1F7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
RHEL/RL 9 disables the legacy provider for security reasons.
What is the best way to solve this problem ? Should i just enable legacy provider in OpenSSL config or re-sign all certs with new ciper (where can i find more information about this) ? Thank you. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/DZ7FUYQZ3ZEEMW...
Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/NIQ463APRAAJ45...
If you remove all of the .p12 certificates, the engine-setup process will recreate them. However, the Engine will lose SSH access to the hosts for tasks that require SSH connectivity. A better approach is to re-sign the certificates as mentioned above.
participants (5)
-
Jean-Louis Dupond -
kevin@kllmnn.de -
KSNull Zero -
lmd@gto.net -
Pavel Šipoš