No subject

Sun Jan 20 21:10:45 EST 2013

Have you run engine-upgrade utility?
If you did not, please run it.
If you did, please attach logs from /var/log/ovirt-engine/ovirt-engine-upgrade*


----- Original Message -----
> From: "Chris Smith" <whitehat237 at>
> To: Users at
> Sent: Sunday, April 7, 2013 5:09:46 AM
> Subject: [Users] Certificates and PKI seem to be broken after yum update
> I have lost the ability to manage the hosts or VM's using ovirt
> engine web interface after performing yum update on the ovirt-engine
> host, and on one Fedora 17 host.  The data center is offline, and I
> can't place the hosts into maintenance mode.  I don't think that there
> are any actions I can perform in the web interface at all.
> From the logs it seems that PKI is broken between the engine and the hosts.
> I am wondering how I can restore or re-generate all of the
> certificates and get the hosts communicating with the ovirt-engine
> again so that I can bring the data center back online.
> I found this page which deals with changing the engine hostname, and
> thus re-creating the certificates and keystore on the ovirt-engine
> node, and was wondering if this could help.  Could I follow this
> process but keep the same hostname for the ovirt-engine node?
> Currently I have 3 VM's running on two hosts.  The VM's are up, but I
> can't do anything with them in ovirt-engine.
> Here's the latest activity from engine.log from the ovirt-engine node:
> 2013-04-06 21:58:47,472 ERROR
> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
> (QuartzScheduler_Worker-61) Failed to
> /etc/pki/ovirt-engine/.keystore
> (Permission denied)
> 2013-04-06 21:58:47,478 ERROR
> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
> (QuartzScheduler_Worker-62) Can't load keystore from file
> "/etc/pki/ovirt-engine/.keystore".:
> /etc/pki/ovirt-engine/.keystore (Permission denied)
>         at Method)
>         [rt.jar:1.7.0_09-icedtea]
>         at<init>(
> [rt.jar:1.7.0_09-icedtea]
>         at
>         org.ovirt.engine.core.engineencryptutils.EncryptionUtils.getKeyStore(
> [engine-encryptutils.jar:]
>         at
>         org.ovirt.engine.core.engineencryptutils.EncryptionUtils.decrypt(
> [engine-encryptutils.jar:]
>         at
>         org.ovirt.engine.core.dao.VdsStaticDAODbFacadeImpl.decryptPassword(
> [engine-dal.jar:]
>         at
>         org.ovirt.engine.core.dao.VdsDAODbFacadeImpl$VdsRowMapper.mapRow(
> [engine-dal.jar:]
>         at
>         org.ovirt.engine.core.dao.VdsDAODbFacadeImpl$VdsRowMapper.mapRow(
> [engine-dal.jar:]
>         at
>         org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(
> [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
>         at
>         org.springframework.jdbc.core.JdbcTemplate$1.doInPreparedStatement(
> [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
>         at
>         org.springframework.jdbc.core.JdbcTemplate.execute(
> [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
>         at
>         org.springframework.jdbc.core.JdbcTemplate.query(
> [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
>         at
>         org.springframework.jdbc.core.JdbcTemplate.query(
> [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
>         at
>         org.springframework.jdbc.core.JdbcTemplate.query(
> [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
>         at
>         org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall.executeCallInternal(
> [engine-dal.jar:]
>         at
>         org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall.doExecute(
> [engine-dal.jar:]
>         at
>         org.springframework.jdbc.core.simple.SimpleJdbcCall.execute(
> [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
>         at
>         org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeImpl(
> [engine-dal.jar:]
>         at
>         org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeReadAndReturnMap(
> [engine-dal.jar:]
>         at
>         org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeReadList(
> [engine-dal.jar:]
>         at
>         org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeRead(
> [engine-dal.jar:]
>         at
>         org.ovirt.engine.core.dao.VdsDAODbFacadeImpl.get(
> [engine-dal.jar:]
>         at
>         org.ovirt.engine.core.dao.VdsDAODbFacadeImpl.get(
> [engine-dal.jar:]
>         at
>         org.ovirt.engine.core.vdsbroker.VdsManager$1.runInTransaction(
> [engine-vdsbroker.jar:]
>         at
>         org.ovirt.engine.core.utils.transaction.TransactionSupport.executeInSuppressed(
> [engine-utils.jar:]
>         at
>         org.ovirt.engine.core.utils.transaction.TransactionSupport.executeInScope(
> [engine-utils.jar:]
>         at
>         org.ovirt.engine.core.vdsbroker.VdsManager.OnTimer(
> [engine-vdsbroker.jar:]
>         at sun.reflect.GeneratedMethodAccessor13.invoke(Unknown
> Source) [:1.7.0_09-icedtea]
>         at
>         sun.reflect.DelegatingMethodAccessorImpl.invoke(
> [rt.jar:1.7.0_09-icedtea]
>         at java.lang.reflect.Method.invoke(
> [rt.jar:1.7.0_09-icedtea]
>         at
>         org.ovirt.engine.core.utils.timer.JobWrapper.execute(
> [engine-scheduler.jar:]
>         at
>         [quartz.jar:]
>         at
>         org.quartz.simpl.SimpleThreadPool$
> [quartz.jar:]
> 2013-04-06 21:58:47,576 ERROR
> [org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand]
> (QuartzScheduler_Worker-61) XML RPC error in command
> GetCapabilitiesVDS ( Vds: defiant ), the error was:
> java.util.concurrent.ExecutionException:
> java.lang.reflect.InvocationTargetException,
> SSLPeerUnverifiedException: peer not authenticated
> 2013-04-06 21:58:47,606 ERROR
> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
> (QuartzScheduler_Worker-62) Failed to
> /etc/pki/ovirt-engine/.keystore
> (Permission denied)
> 2013-04-06 21:58:47,671 ERROR
> [org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand]
> (QuartzScheduler_Worker-62) XML RPC error in command
> GetCapabilitiesVDS ( Vds: transporter ), the error was:
> java.util.concurrent.ExecutionException:
> java.lang.reflect.InvocationTargetException,
> SSLPeerUnverifiedException: peer not authenticated
> Here's the message I seem to get over and over on the fedora 17 host in
> vdsm.log
> SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL
> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
> Thread-562520::ERROR::2013-04-06
> 22:08:44,268::SecureXMLRPCServer::73::root::(handle_error) client
> ('', 36127)
> Traceback (most recent call last):
>   File "/usr/lib64/python2.7/", line 582, in
> process_request_thread
>     self.finish_request(request, client_address)
>   File "/usr/lib/python2.7/site-packages/vdsm/",
> line 66, in finish_request
>     request.do_handshake()
>   File "/usr/lib64/python2.7/", line 305, in do_handshake
>     self._sslobj.do_handshake()
> I'm also wondering about the permission denied on the .keystore
> directory.  What should the permissions be?  Here's what they are
> currently.
> [root at reliant pki]# ls -ldZ /etc/pki/ovirt-engine/.keystore
> -rwxr-x---. root root unconfined_u:object_r:cert_t:s0
> /etc/pki/ovirt-engine/.keystore
> I also seem to have a backup of the ovirt-engine directory at the time
> the update was performed, but replacing ovirt-engine with the backup
> does no good.
> I appreciate any assistance, and please let me know what other
> information I can post to help with this.
> Thanks
> _______________________________________________
> Users mailing list
> Users at

More information about the Users mailing list