[Users] ovirt-engine certs

Alon Bar-Lev alonbl at redhat.com
Tue Mar 11 07:27:00 UTC 2014


3.1 upgrade was never actually supported if I remember correctly, so you may experience other issues as well.

But you can try the following sequence:

1. Move all hosts into maintenance via webadmin.

2. Stop ovirt-engine.

3. Backup your computer and database.

4. Remove /etc/pki/ovirt-engine/ca.pem

5. Run engine-setup.

6. Set new administrator password:

# engine-config -s AdminPassword=interactive

7. Restart ovirt-engine

8. Re-install all hosts via webadmin.

----- Original Message -----
> From: "Thomas Scofield" <tscofield at gmail.com>
> To: "users" <users at ovirt.org>
> Sent: Tuesday, March 11, 2014 7:13:27 AM
> Subject: [Users] ovirt-engine certs
> 
> 
> 
> How can I regenerate the ovirt engine CA certs and corresponding vdsm certs?
> I have an ovirt setup that I’m upgrading from 3.2.0 (from the dre repos) to
> 3.2.3 and I am getting the certificate errors listed below after the
> upgrade. I have done this same upgrade on an number of other ovirt-engines
> with no issue. The setup had originally been installed with ovirt 3.1 so it
> possible that some of the certificate configurations from 3.1 are still
> present on this ovirt-engine and it is contributing to the problem. For
> example, I noticed that the /etc/pki/ovirt-engine/cacert.conf file on this
> troublesome upgrade has “default_bits = rsa:1024”, but the systems that
> upgraded successfully have “default_bits = rsa:2048”. The same is true for
> the cert.conf file.
> 
> 
> 
> Engine.log
> 
> 2014-03-10 17:10:28,954 ERROR
> [org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo]
> (DefaultQuartzScheduler_Worker-2) vds::refreshVdsStats Failed getVdsStats,
> vds = a7459d21-b5a6-4330-9897-f2018c9a1776 : vm1, error =
> VDSNetworkException: javax.net.ssl.SSLHandshakeException: Received fatal
> alert: bad_certificate
> 
> 
> 
> Vdsm.log
> 
> BindingXMLRPC::ERROR::2014-03-10
> 20:58:00,871::SecureXMLRPCServer::97::root::(verify) invalid client
> certificate with subject "/C=US/O=
> example.com/CN=CA-ovirt1.example.com.30758 "
> 
> BindingXMLRPC::ERROR::2014-03-10
> 20:58:00,872::BindingXMLRPC::72::vds::(threaded_start) xml-rpc handler
> exception
> 
> Traceback (most recent call last):
> 
> File "/usr/share/vdsm/BindingXMLRPC.py", line 68, in threaded_start
> 
> self.server.handle_request()
> 
> File "/usr/lib64/python2.6/SocketServer.py", line 268, in handle_request
> 
> self._handle_request_noblock()
> 
> File "/usr/lib64/python2.6/SocketServer.py", line 278, in
> _handle_request_noblock
> 
> request, client_address = self.get_request()
> 
> File "/usr/lib64/python2.6/SocketServer.py", line 446, in get_request
> 
> return self.socket.accept()
> 
> File "/usr/lib64/python2.6/site-packages/vdsm/SecureXMLRPCServer.py", line
> 116, in accept
> 
> client, address = self.connection.accept()
> 
> File "/usr/lib64/python2.6/site-packages/M2Crypto/SSL/Connection.py", line
> 167, in accept
> 
> ssl.accept_ssl()
> 
> File "/usr/lib64/python2.6/site-packages/M2Crypto/SSL/Connection.py", line
> 156, in accept_ssl
> 
> return m2.ssl_accept(self.ssl, self._timeout)
> 
> SSLError: no certificate returned
> 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 



More information about the Users mailing list