[ovirt-users] ERROR [org.ovirt.vdsm.jsonrpc.client.reactors.Reactor] (SSL Stomp Reactor) [] Unable to process messages

Sandro Bonazzola sbonazzo at redhat.com
Mon Jul 25 15:27:10 UTC 2016


On Mon, Jul 25, 2016 at 11:40 AM, Piotr Kliczewski <
piotr.kliczewski at gmail.com> wrote:

> I remember an issue that engine upgrade corrupted certificates and
> "General SSLEngine problem" may be indication that you saw it.
> I asked to open BZ for it but was unable to find it.
>
> @Sandro @Simone was it fixed already?
>

I've vague memories of something related being fixed, but without a bug
number I can't tell for sure.
Adding also Didi, since ssl / pki is his area and he may be aware.




>
> On Thu, Jul 21, 2016 at 3:18 PM, Martin Perina <mperina at redhat.com> wrote:
> > Thanks a lot for you effort, I'm glad that you were able to upgrade
> > successfully although we were not able to find the cause for the issue
> :-(
> >
> > On Thu, Jul 21, 2016 at 2:30 PM, <nicolas at devels.es> wrote:
> >>
> >> So I gave it another try and this time it worked without any issue (with
> >> 4.0.1.1 version). Strange, maybe the first upgrade failure left system
> in a
> >> weird state? Anyhow almost everything ([1]) is working fine now. Thanks
> for
> >> the help!
> >>
> >>   [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1358737
> >
> >
> > Adding Tomas about this one
> >
> >>
> >>
> >> El 2016-07-20 20:23, Martin Perina escribió:
> >>>
> >>> On Wed, Jul 20, 2016 at 6:18 PM, Nicolás <nicolas at devels.es> wrote:
> >>>
> >>>> El 20/07/16 a las 16:45, Martin Perina escribió:
> >>>>
> >>>> On Wed, Jul 20, 2016 at 4:44 PM, Nicolás <nicolas at devels.es> wrote:
> >>>>
> >>>> Hi Martin,
> >>>>
> >>>> Actually, up until now we had that cert configured in httpd and in
> >>>> websocket proxy. Seems that now in 4.0.x it's not enough, as opening
> >>>> the https://fqdn [1] complains about the cert not being imported in
> >>>> the key chain.
> >>>>
> >>>> Yes, there's an updated procedure on using external CA in 4.0,
> >>>> for details please take a look at Doc Text in
> >>>>
> >>>> https://bugzilla.redhat.com/show_bug.cgi?id=1336838 [2]
> >>>>
> >>>> So I imported it via keytool, but I don't want to use it in the
> >>>> engine <-> VDSM communication.
> >>>>
> >>>> Hmm, so that would imply that we have some issue with existing
> >>>> internal enigne CA during upgrade ...
> >>>>
> >>>> The strange thing is that we test upgrades a lot but so far we
> >>>> haven't seen any issues which will broke
> >>>>
> >>>> SSL setup between engine and VDSM. You said that you had to
> >>>> downgrade back to 3.6.7 (so unfortunately for us we cannot
> >>>> investigate your nonworking setup more), but how did you do that?
> >>>>
> >>>> Removing all engine packages and configuration, installing back
> >>>> 3.6.7 packaging and restoring configuration form backup?
> >>>>
> >>>> I'm asking to know what changed in your setup between not working
> >>>> 4.0 and working 3.6.7 ...
> >>>
> >>>
> >>>  Indeed, those are the steps I followed to the point.
> >>>
> >>>  To add more strangeness, previously to upgrading this oVirt
> >>> infrastructure, we upgraded another one that we have (also using own
> >>> cert, a different one but from the same CA) and everything went
> >>> smoothly. And what's more, previously to upgrading the engine that
> >>> failed, I created a copy of that engine machine in a sandbox
> >>> environment to see if upgrade process would or not success, and it
> >>> worked perfectly.
> >>>
> >>>  The only difference between the sandbox and the real machine's
> >>> process was that when upgrading the real one, the first time I run
> >>> "engine-setup" it failed because 'systemd' reported PostgreSQL as it
> >>> was not running (actually it was, thougg), so everything rolled back.
> >>> I had to kill the PostgreSQL process, start it again with systemctl
> >>> and then run "engine-setup", where the process completed successfully
> >>> but the SSL issue appeared. Not sure if this rollback could have
> >>> shattered the whole thing...
> >>>
> >>>  Anyhow, tomorrow I'm going to create another copy of the engine
> >>> machine to a sandbox environment and try again. If it works I'll cross
> >>> my fingers and give another try on the real machine...
> >>>
> >>>  Thanks!
> >>>
> >>> Thanks a lot for you effort. I will try to perform same upgrade
> >>> tomorrow in my test env.
> >>>
> >>>
> >>>> Thanks
> >>>>
> >>>> Martin
> >>>>
> >>>> Thanks!
> >>>> En 20/7/2016 2:48 p. m., Martin Perina <mperina at redhat.com>
> >>>> escribió:
> >>>>
> >>>> Hi,
> >>>>
> >>>> sorry for late response, I overlook your reply :-(
> >>>>
> >>>> I looked at your logs and it seems to me that there's SSL
> >>>> error when engine tries to contact VDSM.
> >>>>
> >>>> You have mentioned that your are using your own custom CA. Are
> >>>> you using it only for HTTPS certificate or do you want to use it
> >>>> also for Engine <-> VDSM communication?
> >>>>
> >>>>
> >>>> Martin Perina
> >>>>
> >>>>
> >>>>
> >>>> On Wed, Jul 20, 2016 at 9:18 AM, <nicolas at devels.es> wrote:
> >>>> Any hints about this?
> >>>>
> >>>> El 2016-07-13 11:13, nicolas at devels.es escribió:
> >>>> Hi,
> >>>>
> >>>> Unfortunately, upgrading to 4.0.1RC didn't solve the problem.
> >>>> Actually, the error changed to 'General SSLEngine problem', but the
> >>>> result was the same, like this:
> >>>>
> >>>> 2016-07-13 09:52:22,010 INFO
> >>>> [org.ovirt.vdsm.jsonrpc.client.reactors.ReactorClient] (SSL Stomp
> >>>> Reactor) [] Connecting to /10.X.X.X
> >>>> 2016-07-13 09:52:22,018 ERROR
> >>>> [org.ovirt.vdsm.jsonrpc.client.reactors.Reactor] (SSL Stomp
> >>>> Reactor)
> >>>> [] Unable to process messages: General SSLEngine problem
> >>>>
> >>>> It's worth mentioning that we're using our own SSL certificates
> >>>> (not
> >>>> self-signed), and I imported the combined certificate into the
> >>>> /etc/pki/ovirt-engine/.truststore key file. Not sure if related,
> >>>> but
> >>>> just in case.
> >>>
> >>>
> >>>> I had to downgrade to 3.6.7. I'm attaching requested logs, if you
> >>>> need
> >>>> anything else don't hesitate to ask.
> >>>>
> >>>> Regards.
> >>>>
> >>>> El 2016-07-13 09:45, Martin Perina escribió:
> >>>> Hi,
> >>>>
> >>>> could you please share also vdsm.log from your hosts and also
> >>>> server.log and setup logs from /var/log/ovirt-engine/setup
> >>>> directory?
> >>>>
> >>>> Thanks
> >>>>
> >>>> Martin Perina
> >>>>
> >>>> On Wed, Jul 13, 2016 at 10:36 AM, <nicolas at devels.es> wrote:
> >>>>
> >>>> Hi,
> >>>>
> >>>> We upgraded from 3.6.6 to 4.0.0 and we have a big issue since the
> >>>> engine cannot connect to hosts. In the logs all we see is this
> >>>> error:
> >>>>
> >>>>     ERROR [org.ovirt.vdsm.jsonrpc.client.reactors.Reactor] (SSL
> >>>> Stomp Reactor) [] Unable to process messages
> >>>>
> >>>> I'm attaching full logs.
> >>>>
> >>>> Could someone help please?
> >>>>
> >>>> Thanks.
> >>>> _______________________________________________
> >>>> Users mailing list
> >>>> Users at ovirt.org
> >>>> http://lists.ovirt.org/mailman/listinfo/users [3] [1]
> >>>>
> >>>> Links:
> >>>> ------
> >>>> [1] http://lists.ovirt.org/mailman/listinfo/users [3]
> >>>
> >>>
> >>>  _______________________________________________
> >>>  Users mailing list
> >>>  Users at ovirt.org
> >>>  http://lists.ovirt.org/mailman/listinfo/users [3]
> >>>
> >>>
> >>>
> >>> Links:
> >>> ------
> >>> [1] https://fqdn
> >>> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1336838
> >>> [3] http://lists.ovirt.org/mailman/listinfo/users
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
>



-- 
Sandro Bonazzola
Better technology. Faster innovation. Powered by community collaboration.
See how it works at redhat.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160725/071c2885/attachment-0001.html>


More information about the Users mailing list