[ovirt-users] expired cert for aaa
Yedidyah Bar David
didi at redhat.com
Tue Nov 8 07:25:35 UTC 2016
On Mon, Nov 7, 2016 at 9:15 PM, cmc <iucounu at gmail.com> wrote:
> To reply to my own email:
>
> This is now fixed.
>
> I originally ran these steps for the upgrade:
>
> # yum install http://resources.ovirt.org/pub/yum-repo/ovirt-release40.rpm
> # yum update "ovirt-engine-setup*"
> # engine-setup
>
> There were no errors reported during the process. I could login as the
> internal user without any errors. It was just using an external provider,
> which made me think it was an aaa issue, so I looked
> at the certificate exported from AD which had an expiry of 2063.
>
> I tried running engine-setup again, and this fixed the issue. I have no idea
> what happened along the way, I will check the logs. I notice it reports:
>
> [ INFO ] Upgrading CA
engine-setup always emits this message. You might find more details in the
setup logs regarding what it actually did.
>
> so it looks like it creates a cert. Why it would have created one with such
> a short expiry date is a mystery to me.
>
> Hope this helps anyone who might come across this issue
Thanks for the report!
Can you please share both setup logs? Thanks.
Also, most files should be backed up by engine-setup prior to being
changed/removed. So you can check the backups. E.g.:
# openssl x509 -in /etc/pki/ovirt-engine/ca.pem.20160120160548 -noout -enddate
notAfter=May 22 07:32:23 2025 GMT
# openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -enddate
notAfter=Mar 6 09:46:44 2026 GMT
Or,
find /etc/pki/ovirt-engine -name "*.cer*" -o -name "*.pem*" | while
read file; do echo $file $(openssl x509 -in $file -noout -enddate);
done
Best,
--
Didi
More information about the Users
mailing list