How to renew vmconsole-proxy* certificates
Hi, Since a few weeks, we are not able to connect to the vmconsole proxy: $ ssh -t -p 2222 ovirt-vmconsole@ovirt ovirt-vmconsole@ovirt: Permission denied (publickey). Last successful login record: Mar 29 11:31:32 First login failure record: Mar 31 17:28:51 We tracked the issue to the following log in /var/log/ovirt-engine/engine.log: ERROR [org.ovirt.engine.core.services.VMConsoleProxyServlet] (default task-11) [] Error validating ticket: : sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Indeed, certificate /etc/pki/ovirt-engine/certs/vmconsole-proxy-helper.cer and others did expire: -- # grep 'Not After' /etc/pki/ovirt-engine/certs/vmconsole-proxy-* /etc/pki/ovirt-engine/certs/vmconsole-proxy-helper.cer: Not After : Mar 31 13:18:44 2021 GMT /etc/pki/ovirt-engine/certs/vmconsole-proxy-host.cer: Not After : Mar 31 13:18:44 2021 GMT /etc/pki/ovirt-engine/certs/vmconsole-proxy-user.cer: Not After : Mar 31 13:18:44 2021 GMT -- But we did not manage to found how to renew them. Any advice ? -- Benoît
On 27/04/2021 17:12, capelle@labri.fr wrote:
Hi,
Since a few weeks, we are not able to connect to the vmconsole proxy: $ ssh -t -p 2222 ovirt-vmconsole@ovirt ovirt-vmconsole@ovirt: Permission denied (publickey).
Last successful login record: Mar 29 11:31:32 First login failure record: Mar 31 17:28:51
We tracked the issue to the following log in /var/log/ovirt-engine/engine.log: ERROR [org.ovirt.engine.core.services.VMConsoleProxyServlet] (default task-11) [] Error validating ticket: : sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Indeed, certificate /etc/pki/ovirt-engine/certs/vmconsole-proxy-helper.cer and others did expire: -- # grep 'Not After' /etc/pki/ovirt-engine/certs/vmconsole-proxy-* /etc/pki/ovirt-engine/certs/vmconsole-proxy-helper.cer: Not After : Mar 31 13:18:44 2021 GMT /etc/pki/ovirt-engine/certs/vmconsole-proxy-host.cer: Not After : Mar 31 13:18:44 2021 GMT /etc/pki/ovirt-engine/certs/vmconsole-proxy-user.cer: Not After : Mar 31 13:18:44 2021 GMT --
But we did not manage to found how to renew them. Any advice ? -- Benoît
Hi, I believe I have the same problem as this. Same error message in engine log and expired certificates in /etc/pki/ovirt-engine/certs/vmconsole-proxy-* Any ideas? G
On Thu, Nov 4, 2021 at 6:51 PM Kapetanakis Giannis < bilias@edu.physics.uoc.gr> wrote:
On 27/04/2021 17:12, capelle@labri.fr wrote:
Hi,
Since a few weeks, we are not able to connect to the vmconsole proxy: $ ssh -t -p 2222 ovirt-vmconsole@ovirt ovirt-vmconsole@ovirt: Permission denied (publickey).
This is a hackish way to generate a new certificate outside of ovirt-engine. 1. Backup oVirt and especially /etc on engine 2. Generate a new request for the vmconsole-proxy-helper openssl req -new -out vmconsole.req -subj /CN=MY_OVIRT_FQDN -key /etc/pki/ovirt-engine/keys/vmconsole-proxy-helper.key.nopass 3. Use the oVirt CA to sign this request to produce a new cert: cat > extfile.conf <<EOT# lets try to mimic the extensions that oVirt CA creates subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = CA:false keyUsage = digitalSignature extendedKeyUsage = DER:300E060C2B0601040192080D01020101 EOT Sign the request openssl x509 -req -CA /etc/pki/ovirt-engine/certs/ca.der -inform DER -CAkey /etc/pki/ovirt-engine/private/ca.pem -set_serial MY_SERIAL_NO \ -extfile extfile.conf -in vmconsole.req Then you can use this cert to override /etc/pki/ovirt-engine/certs/vmconsole-proxy-helper.cer Needless to say, this is extremely hackish - and I would like to know the proper way to work this. BTW my vmconsole SSH keys/certs also were a) expired b) wrong type ssh-rsa so I needed to jump through similar hoops to get proxy -> host working again. --- Richard Chan
participants (3)
-
capelle@labri.fr -
Kapetanakis Giannis -
Richard Chan