Changing certificates for oVirt 4.3.5
Hey All, Would anyone have a more recent wiki on changing all certificates, including VDSM ones? Have this page but it's for version 3. https://access.redhat.com/solutions/2409751 Thinking the process didn't change much but wanted to ask if there's anything more recent floating around. -- Thx, TK.
On Thu, Sep 26, 2019 at 3:19 AM TomK <tomkcpr@mdevsys.com> wrote:
Hey All,
Would anyone have a more recent wiki on changing all certificates, including VDSM ones?
Have this page but it's for version 3.
I wasn't aware of this page. It's quite old, but mostly correct. However, if you do not mind host downtime, it's much easier to re-enroll certificates for all hosts, instead of the manual steps mentioned there (that are quite old, perhaps not up-to-date).
Thinking the process didn't change much but wanted to ask if there's anything more recent floating around.
I am not aware of anything specifically doing what you want. Related pages you might want to check: 1. Section "Replacing SHA-1 Certificates with SHA-256 Certificates" of: https://www.ovirt.org/documentation/upgrade-guide/chap-Post-Upgrade_Tasks.ht... 2. Only now I noticed that it does not mention the option --san for setting SubjectAltName. It does appear here: https://www.ovirt.org/documentation/admin-guide/chap-Utilities.html See also: https://www.ovirt.org/develop/release-management/features/infra/pki-renew.ht... So I guess (didn't try recently) that if you follow the existing procedures and generate pki without --san, a later engine-setup will prompt you to renew. Best regards, -- Didi
On 9/26/2019 3:58 AM, Yedidyah Bar David wrote:
On Thu, Sep 26, 2019 at 3:19 AM TomK <tomkcpr@mdevsys.com> wrote:
Hey All,
Would anyone have a more recent wiki on changing all certificates, including VDSM ones?
Have this page but it's for version 3.
I wasn't aware of this page. It's quite old, but mostly correct. However, if you do not mind host downtime, it's much easier to re-enroll certificates for all hosts, instead of the manual steps mentioned there (that are quite old, perhaps not up-to-date).
Thinking the process didn't change much but wanted to ask if there's anything more recent floating around.
I am not aware of anything specifically doing what you want.
Related pages you might want to check:
1. Section "Replacing SHA-1 Certificates with SHA-256 Certificates" of:
https://www.ovirt.org/documentation/upgrade-guide/chap-Post-Upgrade_Tasks.ht...
2. Only now I noticed that it does not mention the option --san for setting SubjectAltName. It does appear here:
https://www.ovirt.org/documentation/admin-guide/chap-Utilities.html
See also:
https://www.ovirt.org/develop/release-management/features/infra/pki-renew.ht...
So I guess (didn't try recently) that if you follow the existing procedures and generate pki without --san, a later engine-setup will prompt you to renew.
Best regards,
Thought I ran that though I probably didn't select the renew all option. However, it did not renew the VDSM one: [root@ovirt01 ovirt-engine]# engine-setup [ INFO ] Stage: Initializing [ INFO ] Stage: Environment setup Configuration files: ['/etc/ovirt-engine-setup.conf.d/10-packaging-jboss.conf', '/etc/ovirt-engine-setup.conf.d/10-packaging.conf', '/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf'] Log file: /var/log/ovirt-engine/setup/ovirt-engine-setup-20190926062007-ysyb9p.log Version: otopi-1.8.3 (otopi-1.8.3-1.el7) [ INFO ] Stage: Environment packages setup [ INFO ] Stage: Programs detection [ INFO ] Stage: Environment setup (late) [ INFO ] Stage: Environment customization --== PRODUCT OPTIONS ==-- [ INFO ] ovirt-provider-ovn already installed, skipping. --== PACKAGES ==-- [ INFO ] Checking for product updates... val ub = 100 var totalEven = 0 var totalOdd = 0 while(lb <= ub) { if(lb % 2 == 0) totalEven += lb else totalOdd += lb lb += 1 } [ INFO ] No product updates found --== NETWORK CONFIGURATION ==-- Setup can automatically configure the firewall on this system. Note: automatic configuration of the firewall may overwrite current settings. NOTICE: iptables is deprecated and will be removed in future releases Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ INFO ] firewalld will be configured as firewall manager. --== DATABASE CONFIGURATION ==-- The detected DWH database size is 48 MB. Setup can backup the existing database. The time and space required for the database backup depend on its size. This process takes time, and in some cases (for instance, when the size is few GBs) may take several hours to complete. If you choose to not back up the database, and Setup later fails for some reason, it will not be able to restore the database and all DWH data will be lost. Would you like to backup the existing database before upgrading it? (Yes, No) [Yes]: Perform full vacuum on the oVirt engine history database ovirt_engine_history@localhost? This operation may take a while depending on this setup health and the configuration of the db vacuum process. See https://www.postgresql.org/docs/10/sql-vacuum.html (Yes, No) [No]: --== OVIRT ENGINE CONFIGURATION ==-- Perform full vacuum on the engine database engine@localhost? This operation may take a while depending on this setup health and the configuration of the db vacuum process. See https://www.postgresql.org/docs/10/sql-vacuum.html (Yes, No) [No]: --== STORAGE CONFIGURATION ==-- --== PKI CONFIGURATION ==-- One or more of the certificates should be renewed, because they expire soon, or include an invalid expiry date, or do not include the subjectAltName extension, which can cause them to be rejected by recent browsers and up to date hosts. See https://www.ovirt.org/develop/release-management/features/infra/pki-renew/ for more details. Renew certificates? (Yes, No) [No]: Yes --== APACHE CONFIGURATION ==-- --== SYSTEM CONFIGURATION ==-- --== MISC CONFIGURATION ==-- --== END OF CONFIGURATION ==-- [ INFO ] Stage: Setup validation During execution engine service will be stopped (OK, Cancel) [OK]: [WARNING] Less than 16384MB of memory is available [ INFO ] Cleaning stale zombie tasks and commands --== CONFIGURATION PREVIEW ==-- Default SAN wipe after delete : False Firewall manager : firewalld Update Firewall : True Host FQDN : ovirt01.nix.mds.xyz Set up Cinderlib integration : False Engine database secured connection : False Engine database user name : engine Engine database name : engine Engine database host : localhost Engine database port : 5432 Engine database host name validation : False Engine installation : True PKI organization : nix.mds.xyz Renew PKI : True Set up ovirt-provider-ovn : True Configure WebSocket Proxy : True DWH installation : True DWH database secured connection : False DWH database host : localhost DWH database user name : ovirt_engine_history DWH database name : ovirt_engine_history Backup DWH database : True DWH database port : 5432 DWH database host name validation : False Configure Image I/O Proxy : True Configure VMConsole Proxy : True Please confirm installation settings (OK, Cancel) [OK]: [ INFO ] Cleaning async tasks and compensations [ INFO ] Unlocking existing entities [ INFO ] Checking the Engine database consistency [ INFO ] Stage: Transaction setup [ INFO ] Stopping engine service [ INFO ] Stopping ovirt-fence-kdump-listener service [ INFO ] Stopping dwh service [ INFO ] Stopping Image I/O Proxy service [ INFO ] Stopping vmconsole-proxy service [ INFO ] Stopping websocket-proxy service [ INFO ] Stage: Misc configuration (early) [ INFO ] Stage: Package installation [ INFO ] Stage: Misc configuration [ INFO ] Upgrading CA [ INFO ] Renewing engine certificate [ INFO ] Renewing jboss certificate [ INFO ] Backing up database localhost:ovirt_engine_history to '/var/lib/ovirt-engine-dwh/backups/dwh-20190926062715.jLreIE.dump'. [ INFO ] Creating/refreshing DWH database schema [ INFO ] Configuring Image I/O Proxy [ INFO ] Setting up ovirt-vmconsole proxy helper PKI artifacts [ INFO ] Configuring WebSocket Proxy [ INFO ] Backing up database localhost:engine to '/var/lib/ovirt-engine/backups/engine-20190926062734.NnTrHY.dump'. [ INFO ] Creating/refreshing Engine database schema [ INFO ] Creating/refreshing Engine 'internal' domain database schema Unregistering existing client registration info. [ INFO ] Generating post install configuration file '/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf' [ INFO ] Stage: Transaction commit [ INFO ] Stage: Closing up [ INFO ] Starting engine service [ INFO ] Starting dwh service [ INFO ] Restarting ovirt-vmconsole proxy service --== SUMMARY ==-- [ INFO ] Restarting httpd Web access is enabled at: http://ovirt01.nix.mds.xyz:80/ovirt-engine https://ovirt01.nix.mds.xyz:443/ovirt-engine Internal CA 88:6F:76:D1:08:AA:DD:6A:BC:4E:81:52:52:6A:78:69:78:AD:01:DA SSH fingerprint: SHA256:sxefdvInh4PF6OrI2nfEid2pBrSrd/SOrB1xR1yEgT8 [WARNING] Less than 16384MB of memory is available --== END OF SUMMARY ==-- [ INFO ] Stage: Clean up Log file is located at /var/log/ovirt-engine/setup/ovirt-engine-setup-20190926062007-ysyb9p.log [ INFO ] Generating answer file '/var/lib/ovirt-engine/setup/answers/20190926062909-setup.conf' [ INFO ] Stage: Pre-termination [ INFO ] Stage: Termination [ INFO ] Execution of setup completed successfully [root@ovirt01 ovirt-engine]# openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem -enddate -noout notAfter=Apr 8 17:12:07 2019 GMT # ****** <<<<<<<<<<<<<<<<<<<<<<<< [root@ovirt01 ovirt-engine]# So still getting: VDSM mdskvm-p01.nix.mds.xyz command Get Host Capabilities failed: General SSLEngine problem -- Thx, TK.
On 9/26/2019 6:44 AM, TomK wrote:
On 9/26/2019 3:58 AM, Yedidyah Bar David wrote:
On Thu, Sep 26, 2019 at 3:19 AM TomK <tomkcpr@mdevsys.com> wrote:
Hey All,
Would anyone have a more recent wiki on changing all certificates, including VDSM ones?
Have this page but it's for version 3.
I wasn't aware of this page. It's quite old, but mostly correct. However, if you do not mind host downtime, it's much easier to re-enroll certificates for all hosts, instead of the manual steps mentioned there (that are quite old, perhaps not up-to-date).
Thinking the process didn't change much but wanted to ask if there's anything more recent floating around.
I am not aware of anything specifically doing what you want.
Related pages you might want to check:
1. Section "Replacing SHA-1 Certificates with SHA-256 Certificates" of:
https://www.ovirt.org/documentation/upgrade-guide/chap-Post-Upgrade_Tasks.ht...
2. Only now I noticed that it does not mention the option --san for setting SubjectAltName. It does appear here:
https://www.ovirt.org/documentation/admin-guide/chap-Utilities.html
See also:
https://www.ovirt.org/develop/release-management/features/infra/pki-renew.ht...
So I guess (didn't try recently) that if you follow the existing procedures and generate pki without --san, a later engine-setup will prompt you to renew.
Best regards,
Thought I ran that though I probably didn't select the renew all option. However, it did not renew the VDSM one:
[root@ovirt01 ovirt-engine]# engine-setup [ INFO ] Stage: Initializing [ INFO ] Stage: Environment setup Configuration files: ['/etc/ovirt-engine-setup.conf.d/10-packaging-jboss.conf', '/etc/ovirt-engine-setup.conf.d/10-packaging.conf', '/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf'] Log file: /var/log/ovirt-engine/setup/ovirt-engine-setup-20190926062007-ysyb9p.log Version: otopi-1.8.3 (otopi-1.8.3-1.el7) [ INFO ] Stage: Environment packages setup [ INFO ] Stage: Programs detection [ INFO ] Stage: Environment setup (late) [ INFO ] Stage: Environment customization
--== PRODUCT OPTIONS ==--
[ INFO ] ovirt-provider-ovn already installed, skipping.
--== PACKAGES ==--
[ INFO ] Checking for product updates... val ub = 100 var totalEven = 0 var totalOdd = 0 while(lb <= ub) { if(lb % 2 == 0) totalEven += lb else totalOdd += lb lb += 1 } [ INFO ] No product updates found
--== NETWORK CONFIGURATION ==--
Setup can automatically configure the firewall on this system. Note: automatic configuration of the firewall may overwrite current settings. NOTICE: iptables is deprecated and will be removed in future releases Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ ERROR ] Invalid value Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ INFO ] firewalld will be configured as firewall manager.
--== DATABASE CONFIGURATION ==--
The detected DWH database size is 48 MB. Setup can backup the existing database. The time and space required for the database backup depend on its size. This process takes time, and in some cases (for instance, when the size is few GBs) may take several hours to complete. If you choose to not back up the database, and Setup later fails for some reason, it will not be able to restore the database and all DWH data will be lost. Would you like to backup the existing database before upgrading it? (Yes, No) [Yes]: Perform full vacuum on the oVirt engine history database ovirt_engine_history@localhost? This operation may take a while depending on this setup health and the configuration of the db vacuum process. See https://www.postgresql.org/docs/10/sql-vacuum.html (Yes, No) [No]:
--== OVIRT ENGINE CONFIGURATION ==--
Perform full vacuum on the engine database engine@localhost? This operation may take a while depending on this setup health and the configuration of the db vacuum process. See https://www.postgresql.org/docs/10/sql-vacuum.html (Yes, No) [No]:
--== STORAGE CONFIGURATION ==--
--== PKI CONFIGURATION ==--
One or more of the certificates should be renewed, because they expire soon, or include an invalid expiry date, or do not include the subjectAltName extension, which can cause them to be rejected by recent browsers and up to date hosts. See https://www.ovirt.org/develop/release-management/features/infra/pki-renew/ for more details. Renew certificates? (Yes, No) [No]: Yes
--== APACHE CONFIGURATION ==--
--== SYSTEM CONFIGURATION ==--
--== MISC CONFIGURATION ==--
--== END OF CONFIGURATION ==--
[ INFO ] Stage: Setup validation During execution engine service will be stopped (OK, Cancel) [OK]: [WARNING] Less than 16384MB of memory is available [ INFO ] Cleaning stale zombie tasks and commands
--== CONFIGURATION PREVIEW ==--
Default SAN wipe after delete : False Firewall manager : firewalld Update Firewall : True Host FQDN : ovirt01.nix.mds.xyz Set up Cinderlib integration : False Engine database secured connection : False Engine database user name : engine Engine database name : engine Engine database host : localhost Engine database port : 5432 Engine database host name validation : False Engine installation : True PKI organization : nix.mds.xyz Renew PKI : True Set up ovirt-provider-ovn : True Configure WebSocket Proxy : True DWH installation : True DWH database secured connection : False DWH database host : localhost DWH database user name : ovirt_engine_history DWH database name : ovirt_engine_history Backup DWH database : True DWH database port : 5432 DWH database host name validation : False Configure Image I/O Proxy : True Configure VMConsole Proxy : True
Please confirm installation settings (OK, Cancel) [OK]: [ INFO ] Cleaning async tasks and compensations [ INFO ] Unlocking existing entities [ INFO ] Checking the Engine database consistency [ INFO ] Stage: Transaction setup [ INFO ] Stopping engine service [ INFO ] Stopping ovirt-fence-kdump-listener service [ INFO ] Stopping dwh service [ INFO ] Stopping Image I/O Proxy service [ INFO ] Stopping vmconsole-proxy service [ INFO ] Stopping websocket-proxy service [ INFO ] Stage: Misc configuration (early) [ INFO ] Stage: Package installation [ INFO ] Stage: Misc configuration [ INFO ] Upgrading CA [ INFO ] Renewing engine certificate [ INFO ] Renewing jboss certificate [ INFO ] Backing up database localhost:ovirt_engine_history to '/var/lib/ovirt-engine-dwh/backups/dwh-20190926062715.jLreIE.dump'. [ INFO ] Creating/refreshing DWH database schema [ INFO ] Configuring Image I/O Proxy [ INFO ] Setting up ovirt-vmconsole proxy helper PKI artifacts [ INFO ] Configuring WebSocket Proxy [ INFO ] Backing up database localhost:engine to '/var/lib/ovirt-engine/backups/engine-20190926062734.NnTrHY.dump'. [ INFO ] Creating/refreshing Engine database schema [ INFO ] Creating/refreshing Engine 'internal' domain database schema Unregistering existing client registration info. [ INFO ] Generating post install configuration file '/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf' [ INFO ] Stage: Transaction commit [ INFO ] Stage: Closing up [ INFO ] Starting engine service [ INFO ] Starting dwh service [ INFO ] Restarting ovirt-vmconsole proxy service
--== SUMMARY ==--
[ INFO ] Restarting httpd Web access is enabled at: http://ovirt01.nix.mds.xyz:80/ovirt-engine https://ovirt01.nix.mds.xyz:443/ovirt-engine Internal CA 88:6F:76:D1:08:AA:DD:6A:BC:4E:81:52:52:6A:78:69:78:AD:01:DA SSH fingerprint: SHA256:sxefdvInh4PF6OrI2nfEid2pBrSrd/SOrB1xR1yEgT8 [WARNING] Less than 16384MB of memory is available
--== END OF SUMMARY ==--
[ INFO ] Stage: Clean up Log file is located at /var/log/ovirt-engine/setup/ovirt-engine-setup-20190926062007-ysyb9p.log [ INFO ] Generating answer file '/var/lib/ovirt-engine/setup/answers/20190926062909-setup.conf' [ INFO ] Stage: Pre-termination [ INFO ] Stage: Termination [ INFO ] Execution of setup completed successfully [root@ovirt01 ovirt-engine]# openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem -enddate -noout notAfter=Apr 8 17:12:07 2019 GMT # ****** <<<<<<<<<<<<<<<<<<<<<<<< [root@ovirt01 ovirt-engine]#
So still getting:
VDSM mdskvm-p01.nix.mds.xyz command Get Host Capabilities failed: General SSLEngine problem
Tried to see if I can regenerate the VDSM certificates but no luck yet. I'm also unable to remove the servers due to the messages above. So still can't renew this certificate using any of the above methods: [root@ovirt01 certs]# openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem -noout -dates notBefore=Apr 7 17:12:07 2018 GMT notAfter=Apr 8 17:12:07 2019 GMT [root@ovirt01 certs]# -- Thx, TK.
participants (2)
-
TomK -
Yedidyah Bar David