[ovirt-users] expired cert for aaa

Thu Nov 24 11:58:49 UTC 2016

I ran engine-setup again, but the issue was still present. However, I found
that by using a different browser (Firefox instead of Chrome), I did not
get the error. I cleared the cookies in Chrome and the issue no longer
occured. So it may well be a browser issue.

Thanks,

C

On Thu, Nov 24, 2016 at 11:22 AM, cmc <iucounu at gmail.com> wrote:

> Interestingly, I just got this same error again after I upgraded (I
> upgraded from 4.0.4 to 4.0.5 to fix the 'internal server error' bug that
> was fixed in 4.0.5)
>
> server_error: The connection reader was unable to successfully complete
> TLS negotiation: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException:
> NotAfter: Fri Nov 04 00:19:18 GMT 2016 caused by java.security.cert.CertificateExpiredException:
> NotAfter: Fri Nov 04 00:19:18 GMT 2016
>
> Shall I send the logs?
>
> On Thu, Nov 24, 2016 at 10:55 AM, Yedidyah Bar David <didi at redhat.com>
> wrote:
>
>> On Thu, Nov 24, 2016 at 12:47 PM, cmc <iucounu at gmail.com> wrote:
>> > Hi Yedidyah,
>> >
>> > Attached are the setup logs, sorry for the delay. I checked all the
>> backup
>> > certs, and the expiry dates were either in 2021 or 2026.
>>
>> Sorry, no idea.
>>
>> This means that all certs generated by engine-setup were ok.
>>
>> Not sure what caused this message. If it happens again, please
>> check the certificate's details, who issued/signed it etc.
>>
>> Best,
>>
>> >
>> > Regards,
>> >
>> > Cam
>> >
>> > On Tue, Nov 8, 2016 at 7:25 AM, Yedidyah Bar David <didi at redhat.com>
>> wrote:
>> >>
>> >> On Mon, Nov 7, 2016 at 9:15 PM, cmc <iucounu at gmail.com> wrote:
>> >> > To reply to my own email:
>> >> >
>> >> > This is now fixed.
>> >> >
>> >> > I originally ran these steps for the upgrade:
>> >> >
>> >> > # yum install
>> >> > http://resources.ovirt.org/pub/yum-repo/ovirt-release40.rpm
>> >> > # yum update "ovirt-engine-setup*"
>> >> > # engine-setup
>> >> >
>> >> > There were no errors reported during the process. I could login as
>> the
>> >> > internal user without any errors. It was just using an external
>> >> > provider,
>> >> > which made me think it was an aaa issue, so I looked
>> >> > at the certificate exported from AD which had an expiry of 2063.
>> >> >
>> >> > I tried running engine-setup again, and this fixed the issue. I have
>> no
>> >> > idea
>> >> > what happened along the way, I will check the logs. I notice it
>> reports:
>> >> >
>> >> > [ INFO  ] Upgrading CA
>> >>
>> >> engine-setup always emits this message. You might find more details in
>> the
>> >> setup logs regarding what it actually did.
>> >>
>> >> >
>> >> > so it looks like it creates a cert. Why it would have created one
>> with
>> >> > such
>> >> > a short expiry date is a mystery to me.
>> >> >
>> >> > Hope this helps anyone who might come across this issue
>> >>
>> >> Thanks for the report!
>> >>
>> >> Can you please share both setup logs? Thanks.
>> >>
>> >> Also, most files should be backed up by engine-setup prior to being
>> >> changed/removed. So you can check the backups. E.g.:
>> >>
>> >> # openssl x509 -in /etc/pki/ovirt-engine/ca.pem.20160120160548 -noout
>> >> -enddate
>> >> notAfter=May 22 07:32:23 2025 GMT
>> >> # openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -enddate
>> >> notAfter=Mar  6 09:46:44 2026 GMT
>> >>
>> >> Or,
>> >>
>> >> find /etc/pki/ovirt-engine -name "*.cer*" -o -name "*.pem*" | while
>> >> read file; do echo $file $(openssl x509 -in $file -noout -enddate);
>> >> done
>> >>
>> >> Best,
>> >> --
>> >> Didi
>> >
>> >
>>
>>
>>
>> --
>> Didi
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161124/d060bcc5/attachment-0001.html>