<div dir="ltr"><div><div>Hi Yedidyah,<br></div><div><br>Attached are the setup logs, sorry for the delay. I checked all the backup certs, and the expiry dates were either in 2021 or 2026.<br><br></div>Regards,<br><br></div>Cam<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Nov 8, 2016 at 7:25 AM, Yedidyah Bar David <span dir="ltr"><<a href="mailto:didi@redhat.com" target="_blank">didi@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Mon, Nov 7, 2016 at 9:15 PM, cmc <<a href="mailto:iucounu@gmail.com">iucounu@gmail.com</a>> wrote:<br>
> To reply to my own email:<br>
><br>
> This is now fixed.<br>
><br>
> I originally ran these steps for the upgrade:<br>
><br>
> # yum install <a href="http://resources.ovirt.org/pub/yum-repo/ovirt-release40.rpm" rel="noreferrer" target="_blank">http://resources.ovirt.org/<wbr>pub/yum-repo/ovirt-release40.<wbr>rpm</a><br>
> # yum update "ovirt-engine-setup*"<br>
> # engine-setup<br>
><br>
> There were no errors reported during the process. I could login as the<br>
> internal user without any errors. It was just using an external provider,<br>
> which made me think it was an aaa issue, so I looked<br>
> at the certificate exported from AD which had an expiry of 2063.<br>
><br>
> I tried running engine-setup again, and this fixed the issue. I have no idea<br>
> what happened along the way, I will check the logs. I notice it reports:<br>
><br>
> [ INFO ] Upgrading CA<br>
<br>
</span>engine-setup always emits this message. You might find more details in the<br>
setup logs regarding what it actually did.<br>
<span class=""><br>
><br>
> so it looks like it creates a cert. Why it would have created one with such<br>
> a short expiry date is a mystery to me.<br>
><br>
> Hope this helps anyone who might come across this issue<br>
<br>
</span>Thanks for the report!<br>
<br>
Can you please share both setup logs? Thanks.<br>
<br>
Also, most files should be backed up by engine-setup prior to being<br>
changed/removed. So you can check the backups. E.g.:<br>
<br>
# openssl x509 -in /etc/pki/ovirt-engine/ca.pem.<wbr>20160120160548 -noout -enddate<br>
notAfter=May 22 07:32:23 2025 GMT<br>
# openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -enddate<br>
notAfter=Mar 6 09:46:44 2026 GMT<br>
<br>
Or,<br>
<br>
find /etc/pki/ovirt-engine -name "*.cer*" -o -name "*.pem*" | while<br>
read file; do echo $file $(openssl x509 -in $file -noout -enddate);<br>
done<br>
<br>
Best,<br>
<span class="HOEnZb"><font color="#888888">--<br>
Didi<br>
</font></span></blockquote></div><br></div>