<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 20, 2016 at 4:44 PM, Nicolás <span dir="ltr"><<a href="mailto:nicolas@devels.es" target="_blank">nicolas@devels.es</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi Martin,<br>
</div><div dir="ltr"><br>
</div><div dir="ltr">Actually, up until now we had that cert configured in httpd and in websocket proxy. Seems that now in 4.0.x it's not enough, as opening the <a href="https://fqdn" target="_blank">https://fqdn</a> complains about the cert not being imported in the key chain. </div></blockquote><div><br><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;display:inline">Yes, there's an updated procedure on using external CA in 4.0, for details please take a look at Doc Text in<br><br><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1336838">https://bugzilla.redhat.com/show_bug.cgi?id=1336838</a><br></div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">So I imported it via keytool, but I don't want to use it in the engine <-> VDSM communication.<br></div></blockquote><div><br><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;display:inline">Hmm, so that would imply that we have some issue with existing internal enigne CA during upgrade ...<br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;display:inline">The strange thing is that we test upgrades a lot but so far we haven't seen any issues which will broke<br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;display:inline">SSL setup between engine and VDSM. You said that you had to downgrade back to 3.6.7 (so unfortunately for us we cannot investigate your nonworking setup more), but how did you do that?<br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;display:inline">Removing all engine packages and configuration, installing back 3.6.7 packaging and restoring configuration form backup?<br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;display:inline">I'm asking to know what changed in your setup between not working 4.0 and working 3.6.7 ...<br><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;display:inline">Thanks<br><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;display:inline">Martin<br><br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">
</div><div dir="ltr"><br>
</div><div dir="ltr">Thanks!</div><div>En 20/7/2016 2:48 p. m., Martin Perina <<a href="mailto:mperina@redhat.com" target="_blank">mperina@redhat.com</a>> escribió:<br type="attribution"><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="font-family:arial,helvetica,sans-serif">Hi,<br><br></div><div style="font-family:arial,helvetica,sans-serif">sorry for late response, I overlook your reply :-(<br><br></div><div class="gmail_extra"><div style="font-family:arial,helvetica,sans-serif">I looked at your logs and it seems to me that there's SSL error when engine tries to contact VDSM.<br></div><div style="font-family:arial,helvetica,sans-serif;display:inline">You have mentioned that your are using your own custom CA. Are you using it only for HTTPS certificate or do you want to use it also for Engine <-> VDSM communication?<br><br></div><div style="font-family:arial,helvetica,sans-serif;display:inline">Martin Perina<br></div><div style="font-family:arial,helvetica,sans-serif"> <br></div><br><div class="gmail_quote">On Wed, Jul 20, 2016 at 9:18 AM, <span dir="ltr"><<a href="mailto:nicolas@devels.es" target="_blank">nicolas@devels.es</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Any hints about this?<br>
<br>
El 2016-07-13 11:13, <a href="mailto:nicolas@devels.es" target="_blank">nicolas@devels.es</a> escribió:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Hi,<br>
<br>
Unfortunately, upgrading to 4.0.1RC didn't solve the problem.<br>
Actually, the error changed to 'General SSLEngine problem', but the<br>
result was the same, like this:<br>
<br>
2016-07-13 09:52:22,010 INFO<br>
[org.ovirt.vdsm.jsonrpc.client.reactors.ReactorClient] (SSL Stomp<br>
Reactor) [] Connecting to /10.X.X.X<br>
2016-07-13 09:52:22,018 ERROR<br>
[org.ovirt.vdsm.jsonrpc.client.reactors.Reactor] (SSL Stomp Reactor)<br>
[] Unable to process messages: General SSLEngine problem<br>
<br>
It's worth mentioning that we're using our own SSL certificates (not<br>
self-signed), and I imported the combined certificate into the<br>
/etc/pki/ovirt-engine/.truststore key file. Not sure if related, but<br>
just in case.<br></blockquote></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
I had to downgrade to 3.6.7. I'm attaching requested logs, if you need<br>
anything else don't hesitate to ask.<br>
<br>
Regards.<br>
<br>
El 2016-07-13 09:45, Martin Perina escribió:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Hi,<br>
<br>
could you please share also vdsm.log from your hosts and also<br>
server.log and setup logs from /var/log/ovirt-engine/setup directory?<br>
<br>
Thanks<br>
<br>
Martin Perina<br>
<br>
On Wed, Jul 13, 2016 at 10:36 AM, <<a href="mailto:nicolas@devels.es" target="_blank">nicolas@devels.es</a>> wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Hi,<br>
<br>
We upgraded from 3.6.6 to 4.0.0 and we have a big issue since the<br>
engine cannot connect to hosts. In the logs all we see is this<br>
error:<br>
<br>
ERROR [org.ovirt.vdsm.jsonrpc.client.reactors.Reactor] (SSL<br>
Stomp Reactor) [] Unable to process messages<br>
<br>
I'm attaching full logs.<br>
<br>
Could someone help please?<br>
<br>
Thanks.<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a> [1]<br>
</blockquote>
<br>
<br>
<br>
Links:<br>
------<br>
[1] <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
</blockquote>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
</blockquote>
</blockquote></div><br></div></div>
</blockquote></div></blockquote></div><br></div></div>