[ovirt-users] Cannot install new host on 4.0, Certificate enrollment failed

Juan Hernández jhernand at redhat.com
Wed Jul 20 08:14:42 UTC 2016 

On 07/19/2016 07:59 PM, Matt . wrote:
> Hi,
> 
> Thanks for the heads up, I saw this in some thread too and this file
> was available here with the upcoming number.
> 
> Which rightsdo the file has?
> 
> I don't have a ca.pem in that cert folder anymore can that be an issue?
> 

In theory the ca.pem isn't needed to sign certificates, but the fact
that it isn't in that directory probably means that something has been
incorrectly manipulated, either manually or by the system itself. These
are the files/permissions from a working environment:

lrwxrwxrwx. 1 root  root    28 Jul  8 11:34 apache-ca.pem ->
/etc/pki/ovirt-engine/ca.pem
-rw-r--r--. 1 root  root   384 Jul  8 11:34 cacert.conf
-rw-r--r--. 1 root  root   384 Jul  8 11:34 cacert.template
-rw-r--r--. 1 root  root   384 Jul 18 20:46 cacert.template.in
-rw-r--r--. 1 root  root  4587 Jul  8 11:34 ca.pem
-rw-r--r--. 1 root  root   923 Jul  8 11:34 cert.conf
drwxr-xr-x. 2 ovirt ovirt 4096 Jul 18 20:46 certs
-rw-r--r--. 1 root  root   923 Jul  8 11:34 cert.template
-rw-r--r--. 1 root  root   717 Jul 18 20:46 cert.template.in
-rw-r--r--. 1 ovirt ovirt  667 Jul  8 11:42 database.txt
-rw-r--r--. 1 ovirt ovirt   20 Jul  8 11:42 database.txt.attr
-rw-r--r--. 1 ovirt ovirt   20 Jul  8 11:42 database.txt.attr.old
-rw-r--r--. 1 ovirt ovirt  599 Jul  8 11:42 database.txt.old
drwxr-xr-x. 2 root  root  4096 Jul 18 20:46 keys
-rw-r--r--. 1 root  root   548 Jul 18 20:46 openssl.conf
drwxr-x---. 2 ovirt ovirt   19 Jul 18 20:46 private
drwxr-xr-x. 2 ovirt ovirt 4096 Jul 18 20:46 requests
-rw-r--r--. 1 ovirt ovirt    5 Jul  8 11:42 serial.txt
-rw-r--r--. 1 ovirt ovirt    5 Jul  8 11:42 serial.txt.old

> 
> 
> 2016-07-19 19:08 GMT+02:00 Juan Hernández <jhernand at redhat.com>:
>> On 07/19/2016 06:16 PM, Matt . wrote:
>>> Can anyone confirm what max. number of subdomains can be used for a
>>> certificate ?
>>>
>>> The length of 65 per subdomain should be default.
>>>
>>> 2016-07-19 15:06 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>>> It's the fqdn indeed, not it's hostname.
>>>>
>>>> Fqdn should be possible I thought as discussed before in the channel
>>>> (while ago).
>>>>
>>>> 2016-07-19 15:04 GMT+02:00 Yaniv Kaul <ykaul at redhat.com>:
>>>>>
>>>>> On Tue, Jul 19, 2016 at 3:43 PM, Matt . <yamakasi.014 at gmail.com> wrote:
>>>>>>
>>>>>>
>>>>>> kvm-01.hosts.services-01.clusters.mycluster-01.dc.ovirt.subdomain.dc-01.dc.my.network
>>>>>
>>>>>
>>>>> Is this the name of the host? perhaps it's a bit too long?
>>>>> Y.
>>
>> Not sure if this is relevant, but I had the same problem today, and the
>> cause was that the /etc/pki/ovirt-engine/serial.txt file was empty, and
>> openssl refused to open it. I wrote manually a number inside, taking the
>> value from /etc/pki/ovirt-engine/serial.txt.old (plus one), and then
>> things started to work.
>>
>> --
>> Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
>> 3ºD, 28016 Madrid, Spain
>> Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.


-- 
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.

More information about the Users mailing list