[ovirt-users] expired cert for aaa
cmc
iucounu at gmail.com
Thu Nov 24 11:22:32 UTC 2016
Interestingly, I just got this same error again after I upgraded (I
upgraded from 4.0.4 to 4.0.5 to fix the 'internal server error' bug that
was fixed in 4.0.5)
server_error: The connection reader was unable to successfully complete TLS
negotiation: javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateExpiredException: NotAfter: Fri Nov 04
00:19:18 GMT 2016 caused by java.security.cert.CertificateExpiredException:
NotAfter: Fri Nov 04 00:19:18 GMT 2016
Shall I send the logs?
On Thu, Nov 24, 2016 at 10:55 AM, Yedidyah Bar David <didi at redhat.com>
wrote:
> On Thu, Nov 24, 2016 at 12:47 PM, cmc <iucounu at gmail.com> wrote:
> > Hi Yedidyah,
> >
> > Attached are the setup logs, sorry for the delay. I checked all the
> backup
> > certs, and the expiry dates were either in 2021 or 2026.
>
> Sorry, no idea.
>
> This means that all certs generated by engine-setup were ok.
>
> Not sure what caused this message. If it happens again, please
> check the certificate's details, who issued/signed it etc.
>
> Best,
>
> >
> > Regards,
> >
> > Cam
> >
> > On Tue, Nov 8, 2016 at 7:25 AM, Yedidyah Bar David <didi at redhat.com>
> wrote:
> >>
> >> On Mon, Nov 7, 2016 at 9:15 PM, cmc <iucounu at gmail.com> wrote:
> >> > To reply to my own email:
> >> >
> >> > This is now fixed.
> >> >
> >> > I originally ran these steps for the upgrade:
> >> >
> >> > # yum install
> >> > http://resources.ovirt.org/pub/yum-repo/ovirt-release40.rpm
> >> > # yum update "ovirt-engine-setup*"
> >> > # engine-setup
> >> >
> >> > There were no errors reported during the process. I could login as the
> >> > internal user without any errors. It was just using an external
> >> > provider,
> >> > which made me think it was an aaa issue, so I looked
> >> > at the certificate exported from AD which had an expiry of 2063.
> >> >
> >> > I tried running engine-setup again, and this fixed the issue. I have
> no
> >> > idea
> >> > what happened along the way, I will check the logs. I notice it
> reports:
> >> >
> >> > [ INFO ] Upgrading CA
> >>
> >> engine-setup always emits this message. You might find more details in
> the
> >> setup logs regarding what it actually did.
> >>
> >> >
> >> > so it looks like it creates a cert. Why it would have created one with
> >> > such
> >> > a short expiry date is a mystery to me.
> >> >
> >> > Hope this helps anyone who might come across this issue
> >>
> >> Thanks for the report!
> >>
> >> Can you please share both setup logs? Thanks.
> >>
> >> Also, most files should be backed up by engine-setup prior to being
> >> changed/removed. So you can check the backups. E.g.:
> >>
> >> # openssl x509 -in /etc/pki/ovirt-engine/ca.pem.20160120160548 -noout
> >> -enddate
> >> notAfter=May 22 07:32:23 2025 GMT
> >> # openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -enddate
> >> notAfter=Mar 6 09:46:44 2026 GMT
> >>
> >> Or,
> >>
> >> find /etc/pki/ovirt-engine -name "*.cer*" -o -name "*.pem*" | while
> >> read file; do echo $file $(openssl x509 -in $file -noout -enddate);
> >> done
> >>
> >> Best,
> >> --
> >> Didi
> >
> >
>
>
>
> --
> Didi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161124/c6a19399/attachment-0001.html>
More information about the Users
mailing list