<div dir="ltr"><div>Interestingly, I just got this same error again after I upgraded (I upgraded from 4.0.4 to 4.0.5 to fix the 'internal server error' bug that was fixed in 4.0.5)<br><br>server_error: The connection reader was unable to successfully complete TLS negotiation: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Fri Nov 04 00:19:18 GMT 2016 caused by java.security.cert.CertificateExpiredException: NotAfter: Fri Nov 04 00:19:18 GMT 2016<br><br></div>Shall I send the logs?<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 24, 2016 at 10:55 AM, Yedidyah Bar David <span dir="ltr"><<a href="mailto:didi@redhat.com" target="_blank">didi@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Thu, Nov 24, 2016 at 12:47 PM, cmc <<a href="mailto:iucounu@gmail.com">iucounu@gmail.com</a>> wrote:<br>
> Hi Yedidyah,<br>
><br>
> Attached are the setup logs, sorry for the delay. I checked all the backup<br>
> certs, and the expiry dates were either in 2021 or 2026.<br>
<br>
</span>Sorry, no idea.<br>
<br>
This means that all certs generated by engine-setup were ok.<br>
<br>
Not sure what caused this message. If it happens again, please<br>
check the certificate's details, who issued/signed it etc.<br>
<br>
Best,<br>
<div class="HOEnZb"><div class="h5"><br>
><br>
> Regards,<br>
><br>
> Cam<br>
><br>
> On Tue, Nov 8, 2016 at 7:25 AM, Yedidyah Bar David <<a href="mailto:didi@redhat.com">didi@redhat.com</a>> wrote:<br>
>><br>
>> On Mon, Nov 7, 2016 at 9:15 PM, cmc <<a href="mailto:iucounu@gmail.com">iucounu@gmail.com</a>> wrote:<br>
>> > To reply to my own email:<br>
>> ><br>
>> > This is now fixed.<br>
>> ><br>
>> > I originally ran these steps for the upgrade:<br>
>> ><br>
>> > # yum install<br>
>> > <a href="http://resources.ovirt.org/pub/yum-repo/ovirt-release40.rpm" rel="noreferrer" target="_blank">http://resources.ovirt.org/<wbr>pub/yum-repo/ovirt-release40.<wbr>rpm</a><br>
>> > # yum update "ovirt-engine-setup*"<br>
>> > # engine-setup<br>
>> ><br>
>> > There were no errors reported during the process. I could login as the<br>
>> > internal user without any errors. It was just using an external<br>
>> > provider,<br>
>> > which made me think it was an aaa issue, so I looked<br>
>> > at the certificate exported from AD which had an expiry of 2063.<br>
>> ><br>
>> > I tried running engine-setup again, and this fixed the issue. I have no<br>
>> > idea<br>
>> > what happened along the way, I will check the logs. I notice it reports:<br>
>> ><br>
>> > [ INFO ] Upgrading CA<br>
>><br>
>> engine-setup always emits this message. You might find more details in the<br>
>> setup logs regarding what it actually did.<br>
>><br>
>> ><br>
>> > so it looks like it creates a cert. Why it would have created one with<br>
>> > such<br>
>> > a short expiry date is a mystery to me.<br>
>> ><br>
>> > Hope this helps anyone who might come across this issue<br>
>><br>
>> Thanks for the report!<br>
>><br>
>> Can you please share both setup logs? Thanks.<br>
>><br>
>> Also, most files should be backed up by engine-setup prior to being<br>
>> changed/removed. So you can check the backups. E.g.:<br>
>><br>
>> # openssl x509 -in /etc/pki/ovirt-engine/ca.pem.<wbr>20160120160548 -noout<br>
>> -enddate<br>
>> notAfter=May 22 07:32:23 2025 GMT<br>
>> # openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -enddate<br>
>> notAfter=Mar 6 09:46:44 2026 GMT<br>
>><br>
>> Or,<br>
>><br>
>> find /etc/pki/ovirt-engine -name "*.cer*" -o -name "*.pem*" | while<br>
>> read file; do echo $file $(openssl x509 -in $file -noout -enddate);<br>
>> done<br>
>><br>
>> Best,<br>
>> --<br>
>> Didi<br>
><br>
><br>
<br>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">--<br>
Didi<br>
</font></span></blockquote></div><br></div>