[ovirt-users] expired cert for aaa
Yedidyah Bar David
didi at redhat.com
Thu Nov 24 12:50:31 UTC 2016
On Thu, Nov 24, 2016 at 1:58 PM, cmc <iucounu at gmail.com> wrote:
> I ran engine-setup again, but the issue was still present. However, I found
> that by using a different browser (Firefox instead of Chrome), I did not get
> the error. I cleared the cookies in Chrome and the issue no longer occured.
> So it may well be a browser issue.
Thanks for the report. Adding Alexander in case he wishes to
check/note something.
Best,
>
> Thanks,
>
> C
>
> On Thu, Nov 24, 2016 at 11:22 AM, cmc <iucounu at gmail.com> wrote:
>>
>> Interestingly, I just got this same error again after I upgraded (I
>> upgraded from 4.0.4 to 4.0.5 to fix the 'internal server error' bug that was
>> fixed in 4.0.5)
>>
>> server_error: The connection reader was unable to successfully complete
>> TLS negotiation: javax.net.ssl.SSLHandshakeException:
>> java.security.cert.CertificateExpiredException: NotAfter: Fri Nov 04
>> 00:19:18 GMT 2016 caused by java.security.cert.CertificateExpiredException:
>> NotAfter: Fri Nov 04 00:19:18 GMT 2016
>>
>> Shall I send the logs?
>>
>> On Thu, Nov 24, 2016 at 10:55 AM, Yedidyah Bar David <didi at redhat.com>
>> wrote:
>>>
>>> On Thu, Nov 24, 2016 at 12:47 PM, cmc <iucounu at gmail.com> wrote:
>>> > Hi Yedidyah,
>>> >
>>> > Attached are the setup logs, sorry for the delay. I checked all the
>>> > backup
>>> > certs, and the expiry dates were either in 2021 or 2026.
>>>
>>> Sorry, no idea.
>>>
>>> This means that all certs generated by engine-setup were ok.
>>>
>>> Not sure what caused this message. If it happens again, please
>>> check the certificate's details, who issued/signed it etc.
>>>
>>> Best,
>>>
>>> >
>>> > Regards,
>>> >
>>> > Cam
>>> >
>>> > On Tue, Nov 8, 2016 at 7:25 AM, Yedidyah Bar David <didi at redhat.com>
>>> > wrote:
>>> >>
>>> >> On Mon, Nov 7, 2016 at 9:15 PM, cmc <iucounu at gmail.com> wrote:
>>> >> > To reply to my own email:
>>> >> >
>>> >> > This is now fixed.
>>> >> >
>>> >> > I originally ran these steps for the upgrade:
>>> >> >
>>> >> > # yum install
>>> >> > http://resources.ovirt.org/pub/yum-repo/ovirt-release40.rpm
>>> >> > # yum update "ovirt-engine-setup*"
>>> >> > # engine-setup
>>> >> >
>>> >> > There were no errors reported during the process. I could login as
>>> >> > the
>>> >> > internal user without any errors. It was just using an external
>>> >> > provider,
>>> >> > which made me think it was an aaa issue, so I looked
>>> >> > at the certificate exported from AD which had an expiry of 2063.
>>> >> >
>>> >> > I tried running engine-setup again, and this fixed the issue. I have
>>> >> > no
>>> >> > idea
>>> >> > what happened along the way, I will check the logs. I notice it
>>> >> > reports:
>>> >> >
>>> >> > [ INFO ] Upgrading CA
>>> >>
>>> >> engine-setup always emits this message. You might find more details in
>>> >> the
>>> >> setup logs regarding what it actually did.
>>> >>
>>> >> >
>>> >> > so it looks like it creates a cert. Why it would have created one
>>> >> > with
>>> >> > such
>>> >> > a short expiry date is a mystery to me.
>>> >> >
>>> >> > Hope this helps anyone who might come across this issue
>>> >>
>>> >> Thanks for the report!
>>> >>
>>> >> Can you please share both setup logs? Thanks.
>>> >>
>>> >> Also, most files should be backed up by engine-setup prior to being
>>> >> changed/removed. So you can check the backups. E.g.:
>>> >>
>>> >> # openssl x509 -in /etc/pki/ovirt-engine/ca.pem.20160120160548 -noout
>>> >> -enddate
>>> >> notAfter=May 22 07:32:23 2025 GMT
>>> >> # openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -enddate
>>> >> notAfter=Mar 6 09:46:44 2026 GMT
>>> >>
>>> >> Or,
>>> >>
>>> >> find /etc/pki/ovirt-engine -name "*.cer*" -o -name "*.pem*" | while
>>> >> read file; do echo $file $(openssl x509 -in $file -noout -enddate);
>>> >> done
>>> >>
>>> >> Best,
>>> >> --
>>> >> Didi
>>> >
>>> >
>>>
>>>
>>>
>>> --
>>> Didi
>>
>>
>
--
Didi
More information about the Users
mailing list