[ovirt-users] expired cert for aaa

Yedidyah Bar David didi at redhat.com
Thu Nov 24 10:55:14 UTC 2016


On Thu, Nov 24, 2016 at 12:47 PM, cmc <iucounu at gmail.com> wrote:
> Hi Yedidyah,
>
> Attached are the setup logs, sorry for the delay. I checked all the backup
> certs, and the expiry dates were either in 2021 or 2026.

Sorry, no idea.

This means that all certs generated by engine-setup were ok.

Not sure what caused this message. If it happens again, please
check the certificate's details, who issued/signed it etc.

Best,

>
> Regards,
>
> Cam
>
> On Tue, Nov 8, 2016 at 7:25 AM, Yedidyah Bar David <didi at redhat.com> wrote:
>>
>> On Mon, Nov 7, 2016 at 9:15 PM, cmc <iucounu at gmail.com> wrote:
>> > To reply to my own email:
>> >
>> > This is now fixed.
>> >
>> > I originally ran these steps for the upgrade:
>> >
>> > # yum install
>> > http://resources.ovirt.org/pub/yum-repo/ovirt-release40.rpm
>> > # yum update "ovirt-engine-setup*"
>> > # engine-setup
>> >
>> > There were no errors reported during the process. I could login as the
>> > internal user without any errors. It was just using an external
>> > provider,
>> > which made me think it was an aaa issue, so I looked
>> > at the certificate exported from AD which had an expiry of 2063.
>> >
>> > I tried running engine-setup again, and this fixed the issue. I have no
>> > idea
>> > what happened along the way, I will check the logs. I notice it reports:
>> >
>> > [ INFO  ] Upgrading CA
>>
>> engine-setup always emits this message. You might find more details in the
>> setup logs regarding what it actually did.
>>
>> >
>> > so it looks like it creates a cert. Why it would have created one with
>> > such
>> > a short expiry date is a mystery to me.
>> >
>> > Hope this helps anyone who might come across this issue
>>
>> Thanks for the report!
>>
>> Can you please share both setup logs? Thanks.
>>
>> Also, most files should be backed up by engine-setup prior to being
>> changed/removed. So you can check the backups. E.g.:
>>
>> # openssl x509 -in /etc/pki/ovirt-engine/ca.pem.20160120160548 -noout
>> -enddate
>> notAfter=May 22 07:32:23 2025 GMT
>> # openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -enddate
>> notAfter=Mar  6 09:46:44 2026 GMT
>>
>> Or,
>>
>> find /etc/pki/ovirt-engine -name "*.cer*" -o -name "*.pem*" | while
>> read file; do echo $file $(openssl x509 -in $file -noout -enddate);
>> done
>>
>> Best,
>> --
>> Didi
>
>



-- 
Didi



More information about the Users mailing list