[ovirt-users] Stuck at "Enrolling serial console certificate"

Tue Aug 25 14:40:07 UTC 2015

On 08/21/2015 11:02 PM, Juan Hernández wrote:
> On 08/21/2015 12:22 PM, Sahina Bose wrote:
>>
>> On 08/21/2015 03:50 PM, Alon Bar-Lev wrote:
>>> Interesting.
>>>
>>> Please execute manually:
>>>
>>> # /usr/share/ovirt-engine/bin/pki-enroll-openssh-cert.sh --name=rhsdev9.lab.eng.blr.redhat.com-ssh --host --id=rhsdev9.lab.eng.blr.redhat.com --principals=rhsdev9.lab.eng.blr.redhat.com --days=1825
>>
>> It returns immediately with:
>> [root at dhcp43-86 ~]#
>> /usr/share/ovirt-engine/bin/pki-enroll-openssh-cert.sh
>> --name=rhsdev9.lab.eng.blr.redhat.com-ssh --host
>> --id=rhsdev9.lab.eng.blr.redhat.com
>> --principals=rhsdev9.lab.eng.blr.redhat.com --days=1825
>> Signed host key
>> /etc/pki/ovirt-engine/certs/rhsdev9.lab.eng.blr.redhat.com-ssh-cert.pub:
>> id "rhsdev9.lab.eng.blr.redhat.com" serial 0 for
>> rhsdev9.lab.eng.blr.redhat.com valid from 2015-08-21T02:51:27 to
>> 2020-08-19T03:51:27
>>
>>
> Check your SELinux log file. Most probably SELinux is blocking some
> access to the generated files, and then ssh-keygen is asking
> interactively, and thus blocking for ever.

Thanks, Juan. I do see some AVC denial errors, but am yet to try with 
SELinux disabled. Will do so and report back.

/var/log/audit/audit.log:type=AVC msg=audit(1440108177.899:9542): avc:  
denied  { open } for  pid=11827 comm="ssh-keygen" 
path="/tmp/tmp.KlPjsec4X3" dev="dm-0" ino=102401913 
scontext=system_u:system_r:ssh_keygen_t:s0 
tcontext=system_u:object_r:init_tmp_t:s0 tclass=file

ovirt    11827 11821  0 Aug21 ?        00:00:00 ssh-keygen -s 
/tmp/tmp.KlPjsec4X3 -I rhsdev9.lab.eng.blr.redhat.com -h -V -1h:+1825d 
-n rhsdev9.lab.eng.blr.redhat.com 
/etc/pki/ovirt-engine/certs/rhsdev9.lab.eng.blr.redhat.com-ssh.pub

>
>>> let's see what happens.
>>>
>>> ----- Original Message -----
>>>> From: "Sahina Bose" <sabose at redhat.com>
>>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
>>>> Cc: "users" <users at ovirt.org>
>>>> Sent: Friday, August 21, 2015 1:15:03 PM
>>>> Subject: Re: [ovirt-users] Stuck at "Enrolling serial console certificate"
>>>>
>>>>
>>>>
>>>> On 08/21/2015 02:58 PM, Alon Bar-Lev wrote:
>>>>> the only thing I can think of is that your engine is out of random, so it
>>>>> waits for more to be able to generate a new key.
>>>>> please while this is happening, execute: "find /" or anything that will
>>>>> create some activity.
>>>>> if that's not helping, please send me "ps -efa" output so at least I see
>>>>> what is running.
>>>>> thanks!
>>>> output of ps -efa
>>>>
>>>> http://fpaste.org/257513/44015204/
>>>>
>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Sahina Bose" <sabose at redhat.com>
>>>>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
>>>>>> Cc: "users" <users at ovirt.org>
>>>>>> Sent: Friday, August 21, 2015 12:23:11 PM
>>>>>> Subject: Re: [ovirt-users] Stuck at "Enrolling serial console certificate"
>>>>>>
>>>>>> Attached engine.log and host-deploy.log
>>>>>>
>>>>>>
>>>>>> On 08/21/2015 02:29 PM, Alon Bar-Lev wrote:
>>>>>>> Log would be nice.
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Sahina Bose" <sabose at redhat.com>
>>>>>>>> To: "users" <users at ovirt.org>
>>>>>>>> Sent: Friday, August 21, 2015 11:27:56 AM
>>>>>>>> Subject: [ovirt-users] Stuck at "Enrolling serial console certificate"
>>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> While installing a host to ovirt-3.6 engine, the host installation is
>>>>>>>> stuck at "Enrolling serial console certificate"
>>>>>>>>
>>>>>>>> I installed the engine from ovirt-release36, and answered No to setting
>>>>>>>> up WebConsole-proxy as well as VM Console proxy on the engine.
>>>>>>>>
>>>>>>>> Does anyone know how to debug this?
>>>>>>>>
>>>>>>>> thanks
>>>>>>>> sahina
>>>>>>>> _______________________________________________
>>>>>>>> Users mailing list
>>>>>>>> Users at ovirt.org
>>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>