ovirt-engine manager, certificate issue
hello I have a problem to log in to ovirt-engine manager in my browser the warning message in the browser display me this text: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed to solve this problem I am offered to run engine-setup and here is a question: the engine-setup will have no impact to the hosts(hypervisors) working? ovirt version 4.4.4.7-1.el8 thanks
On Thu, Feb 17, 2022 at 9:37 AM david <dd432690@gmail.com> wrote:
hello I have a problem to log in to ovirt-engine manager in my browser the warning message in the browser display me this text: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
to solve this problem I am offered to run engine-setup
Where?
and here is a question: the engine-setup will have no impact to the hosts(hypervisors) working?
ovirt version 4.4.4.7-1.el8
You can run 'engine-setup --offline', to prevent it from trying to upgrade (which is what it's supposed to do normally). If it's a hosted-engine, you should first set global maintenance. Other than that, it should not affect your hosts. Best regards, -- Didi
Hello, I've a issue when I try log in ovirt-engine manager with a browser. The error message is: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed The ovirt version is 4.4.5.11-1. I follow the next commands for try resolve it.
# cp -a /etc/pki/ovirt-engine "/etc/pki/ovirt-engine.$(date "+%Y%m%d")" # SUBJECT="$(openssl x509 -subject -noout -in /etc/pki/ovirt-engine/certs/apache.cer | sed 's/subject= //')" # /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=apache --password="PASSWORD" --subject="${SUBJECT}" # openssl pkcs12 -passin "pass:PASSWORD" -nokeys -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/certs/apache.cer # openssl pkcs12 -passin "pass:PASSWORD" -nocerts -nodes -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/keys/apache.key.nopass # chmod 0600 /etc/pki/ovirt-engine/keys/apache.key.nopass # systemctl restart ovirt-engine.service But after restarting the issue is the same.
Any idea? Thanks in advance Ángel.
Hi, On Tue, May 17, 2022 at 7:33 PM Angel R. Gonzalez <angel.gonzalez@uam.es> wrote:
Hello,
I've a issue when I try log in ovirt-engine manager with a browser. The error message is:
PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
The ovirt version is 4.4.5.11-1.
I follow the next commands for try resolve it.
# cp -a /etc/pki/ovirt-engine "/etc/pki/ovirt-engine.$(date "+%Y%m%d")" # SUBJECT="$(openssl x509 -subject -noout -in /etc/pki/ovirt-engine/certs/apache.cer | sed 's/subject= //')" # /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=apache --password="PASSWORD" --subject="${SUBJECT}" # openssl pkcs12 -passin "pass:PASSWORD" -nokeys -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/certs/apache.cer # openssl pkcs12 -passin "pass:PASSWORD" -nocerts -nodes -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/keys/apache.key.nopass # chmod 0600 /etc/pki/ovirt-engine/keys/apache.key.nopass # systemctl restart ovirt-engine.service But after restarting the issue is the same.
Any idea?
Maybe try to restart the apache HTTP Server as well: *systemctl restart httpd* If it still doesn't work then please share the errors within the engine log /var/log/ovirt-engine/engine.log Thanks, Sharon
Thanks in advance
Ángel.
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/MPFXIEDZBFVC7J...
On Tue, May 17, 2022 at 7:36 PM Sharon Gratch <sgratch@redhat.com> wrote:
Hi,
On Tue, May 17, 2022 at 7:33 PM Angel R. Gonzalez <angel.gonzalez@uam.es> wrote:
Hello,
I've a issue when I try log in ovirt-engine manager with a browser. The error message is:
PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
The ovirt version is 4.4.5.11-1.
I follow the next commands for try resolve it.
# cp -a /etc/pki/ovirt-engine "/etc/pki/ovirt-engine.$(date "+%Y%m%d")" # SUBJECT="$(openssl x509 -subject -noout -in /etc/pki/ovirt-engine/certs/apache.cer | sed 's/subject= //')" # /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=apache --password="PASSWORD" --subject="${SUBJECT}" # openssl pkcs12 -passin "pass:PASSWORD" -nokeys -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/certs/apache.cer # openssl pkcs12 -passin "pass:PASSWORD" -nocerts -nodes -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/keys/apache.key.nopass # chmod 0600 /etc/pki/ovirt-engine/keys/apache.key.nopass # systemctl restart ovirt-engine.service But after restarting the issue is the same.
Any idea?
Maybe try to restart the apache HTTP Server as well: *systemctl restart httpd*
If it still doesn't work then please share the errors within the engine log /var/log/ovirt-engine/engine.log
Thanks, Sharon
Otherwise you can run engine-setup --offline (it will not change anything on current config and will not try to update any package) between the answers to give it will notice that your certificate is expired and you have to answer yes to the question to renew it After that you should be able to access the engine again HIH, Gianluca
Hi, thank you very much for your support. I've restarted httpd and the issue is resolved. But now, I've seen that one of the nodes is NonResponsive mode, other is in Connecting mode and the system log say: "Engine's certification has expired at 2022-05-16. Please renew the engine's certification." Should I run the command engine-setup --offline for renew the engine's certification? Do I have to do some more actions before executing that command? After the engine-setup --offline, the nodes will be up? Thanks in advance. Ángel. El 17/5/22 a las 22:23, Gianluca Cecchi escribió:
On Tue, May 17, 2022 at 7:36 PM Sharon Gratch <sgratch@redhat.com> wrote:
Hi,
On Tue, May 17, 2022 at 7:33 PM Angel R. Gonzalez <angel.gonzalez@uam.es> wrote:
Hello,
I've a issue when I try log in ovirt-engine manager with a browser. The error message is:
PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
The ovirt version is 4.4.5.11-1.
I follow the next commands for try resolve it.
> # cp -a /etc/pki/ovirt-engine "/etc/pki/ovirt-engine.$(date "+%Y%m%d")" > # SUBJECT="$(openssl x509 -subject -noout -in > /etc/pki/ovirt-engine/certs/apache.cer | sed 's/subject= //')" > # /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=apache > --password="PASSWORD" --subject="${SUBJECT}" > # openssl pkcs12 -passin "pass:PASSWORD" -nokeys -in > /etc/pki/ovirt-engine/keys/apache.p12 > > /etc/pki/ovirt-engine/certs/apache.cer > # openssl pkcs12 -passin "pass:PASSWORD" -nocerts -nodes -in > /etc/pki/ovirt-engine/keys/apache.p12 > > /etc/pki/ovirt-engine/keys/apache.key.nopass > # chmod 0600 /etc/pki/ovirt-engine/keys/apache.key.nopass > # systemctl restart ovirt-engine.service But after restarting the issue is the same.
Any idea?
Maybe try to restart the apache HTTP Server as well: /systemctl restart httpd/
If it still doesn't work then please share the errors within the engine log /var/log/ovirt-engine/engine.log
Thanks, Sharon
Otherwise you can run engine-setup --offline (it will not change anything on current config and will not try to update any package) between the answers to give it will notice that your certificate is expired and you have to answer yes to the question to renew it After that you should be able to access the engine again
HIH, Gianluca
-- Ángel Ramón González Martín Responsable de Laboratorios Docentes Edificio Alan Turing Planta 3ª, Despacho A-313 Teléfono: 91497 2311 angel.gonzalez@uam.es Escuela Politécnica Superior Universidad Autónoma de Madrid C/ Francisco Tomás y Valiente 11, 28049 Madrid Antes de imprimir este correo piense si es necesario. Cuidemos el medioambiente.
Hi Angel, I was wondering if you were able to resolve the issue with the non-responsive hypervisor hosts in the HostedEngine web GUI after running the "engine-setup --offline"? I currently have an expired certificate causing a similar issue and wanted to know if/how you were able to get your Ovirt node to recognize the new cert created? Thank you, Daniel Parraz
Here is the answer: https://access.redhat.com/solutions/3532921 -----邮件原件----- 发件人: Daniel Parraz <danielparraz@gmail.com> 发送时间: 2022年8月1日 10:27 收件人: users@ovirt.org 主题: [ovirt-users] Re: Ovirt-engine , certificate issue Hi Angel, I was wondering if you were able to resolve the issue with the non-responsive hypervisor hosts in the HostedEngine web GUI after running the "engine-setup --offline"? I currently have an expired certificate causing a similar issue and wanted to know if/how you were able to get your Ovirt node to recognize the new cert created? Thank you, Daniel Parraz _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/NIOTSR5F6K5XOF...
participants (7)
-
adam_xu@adagene.com.cn -
Angel R. Gonzalez -
Daniel Parraz -
david -
Gianluca Cecchi -
Sharon Gratch -
Yedidyah Bar David