
<div dir="ltr">Hi Piotr,<div><br></div><div>Thank you for the information.</div><div><br></div><div>It looks like something has expired looking in the server.log now that debug is enabled.</div><div><br></div><div><div>2017-09-22 09:35:26,462 INFO  [stdout] (MSC service thread 1-4)   Version: V3</div><div>2017-09-22 09:35:26,464 INFO  [stdout] (MSC service thread 1-4)   Subject: CN=<a href="http://engine01.mydomain.za">engine01.mydomain.za</a>, O=mydomain, C=US</div><div>2017-09-22 09:35:26,467 INFO  [stdout] (MSC service thread 1-4)   Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5</div><div>2017-09-22 09:35:26,471 INFO  [stdout] (MSC service thread 1-4) </div><div>2017-09-22 09:35:26,472 INFO  [stdout] (MSC service thread 1-4)   Key:  Sun RSA public key, 1024 bits</div><div>2017-09-22 09:35:26,474 INFO  [stdout] (MSC service thread 1-4)   modulus: 96670613185023785772001656613227416922514371649313203413281121371175732119596513752882171306045450346018887835032223373125981220753972276294203593174404470265593368091683564110524316403260121331609213962612618181708680331850541390318868926054438078223371655800890725486783860059873397983318033852172060923531</div><div>2017-09-22 09:35:26,476 INFO  [stdout] (MSC service thread 1-4)   public exponent: 65537</div><div>2017-09-22 09:35:26,477 INFO  [stdout] (MSC service thread 1-4)   Validity: [From: Sun Oct 14 22:26:46 SAST 2012,</div><div>2017-09-22 09:35:26,478 INFO  [stdout] (MSC service thread 1-4)                To: Tue Sep 19 18:26:49 SAST 2017]</div><div>2017-09-22 09:35:26,479 INFO  [stdout] (MSC service thread 1-4)   Issuer: CN=CA-engine01.mydomain.za.47472, O=mydomain, C=US</div><div><br></div></div><div>Any idea how I can generate a new one and what cert it is that&#39;s expired?</div><div><br></div><div>Please see the attached log for more info.</div><div><br></div><div>Thank you so much for your assistance.</div><div><br></div><div>Regards.</div><div><br></div><div>Neil Wilson.</div><div><br></div><div><br></div><div><br></div><div><br><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 21, 2017 at 8:41 PM, Piotr Kliczewski <span dir="ltr">&lt;<a href="mailto:piotr.kliczewski@gmail.com" target="_blank">piotr.kliczewski@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Neil,<br>

<br>

It seems that your engine certificate(s) is/are not ok. I would<br>

suggest to enable ssl debug in the engine by:<br>

- add &#39;-Djavax.net.debug=all&#39; to ovirt-engine.py file here [1].<br>

- restart your engine<br>

- check your server.log and check what is the issue.<br>

<br>

Hopefully we will be able to understand what happened in your setup.<br>

<br>

Thanks,<br>

Piotr<br>

<br>

[1] <a href="https://github.com/oVirt/ovirt-engine/blob/master/packaging/services/ovirt-engine/ovirt-engine.py#L341" rel="noreferrer" target="_blank">https://github.com/oVirt/<wbr>ovirt-engine/blob/master/<wbr>packaging/services/ovirt-<wbr>engine/ovirt-engine.py#L341</a><br>

<div class="HOEnZb"><div class="h5"><br>

On Thu, Sep 21, 2017 at 4:42 PM, Neil &lt;<a href="mailto:nwilson123@gmail.com">nwilson123@gmail.com</a>&gt; wrote:<br>

&gt; Further to the logs sent, on the nodes I&#39;m also seeing the following error<br>

&gt; under /var/log/messages...<br>

&gt;<br>

&gt; Sep 20 03:43:12 node01 vdsm root ERROR invalid client certificate with<br>

&gt; subject &quot;/C=US/O=UKDM/CN=<a href="http://engine01.mydomain.za" rel="noreferrer" target="_blank">engine01.<wbr>mydomain.za</a>&quot;^C<br>

&gt; Sep 20 03:43:12 node01 vdsm vds ERROR xml-rpc handler exception#012Traceback<br>

&gt; (most recent call last):#012  File &quot;/usr/share/vdsm/<wbr>BindingXMLRPC.py&quot;, line<br>

&gt; 80, in threaded_start#012    self.server.handle_request()#<wbr>012  File<br>

&gt; &quot;/usr/lib64/python2.6/<wbr>SocketServer.py&quot;, line 278, in handle_request#012<br>

&gt; self._handle_request_noblock()<wbr>#012  File<br>

&gt; &quot;/usr/lib64/python2.6/<wbr>SocketServer.py&quot;, line 288, in<br>

&gt; _handle_request_noblock#012    request, client_address =<br>

&gt; self.get_request()#012  File &quot;/usr/lib64/python2.6/<wbr>SocketServer.py&quot;, line<br>

&gt; 456, in get_request#012    return self.socket.accept()#012  File<br>

&gt; &quot;/usr/lib64/python2.6/site-<wbr>packages/vdsm/<wbr>SecureXMLRPCServer.py&quot;, line 136,<br>

&gt; in accept#012    raise SSL.SSLError(&quot;%s, client %s&quot; % (e,<br>

&gt; address[0]))#012SSLError: no certificate returned, client 10.251.193.5<br>

&gt;<br>

&gt; Not sure if this is any further help in diagnosing the issue?<br>

&gt;<br>

&gt; Thanks, any assistance is appreciated.<br>

&gt;<br>

&gt; Regards.<br>

&gt;<br>

&gt; Neil Wilson.<br>

&gt;<br>

&gt;<br>

&gt; On Thu, Sep 21, 2017 at 4:31 PM, Neil &lt;<a href="mailto:nwilson123@gmail.com">nwilson123@gmail.com</a>&gt; wrote:<br>

&gt;&gt;<br>

&gt;&gt; Hi Piotr,<br>

&gt;&gt;<br>

&gt;&gt; Thank you for the reply. After sending the email I did go and check the<br>

&gt;&gt; engine one too....<br>

&gt;&gt;<br>

&gt;&gt; [root@engine01 /]# openssl x509 -in /etc/pki/ovirt-engine/ca.pem -enddate<br>

&gt;&gt; -noout<br>

&gt;&gt; notAfter=Oct 13 16:26:46 2022 GMT<br>

&gt;&gt;<br>

&gt;&gt; I&#39;m not sure if this one below is meant to verify or if this output is<br>

&gt;&gt; expected?<br>

&gt;&gt;<br>

&gt;&gt; [root@engine01 /]# openssl x509 -in /etc/pki/ovirt-engine/private/<wbr>ca.pem<br>

&gt;&gt; -enddate -noout<br>

&gt;&gt; unable to load certificate<br>

&gt;&gt; 140642165552968:error:<wbr>0906D06C:PEM routines:PEM_read_bio:no start<br>

&gt;&gt; line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE<br>

&gt;&gt;<br>

&gt;&gt; My date is correct too Thu Sep 21 16:30:15 SAST 2017<br>

&gt;&gt;<br>

&gt;&gt; Any ideas?<br>

&gt;&gt;<br>

&gt;&gt; Googling surprisingly doesn&#39;t come up with much.<br>

&gt;&gt;<br>

&gt;&gt; Thank you.<br>

&gt;&gt;<br>

&gt;&gt; Regards.<br>

&gt;&gt;<br>

&gt;&gt; Neil Wilson.<br>

&gt;&gt;<br>

&gt;&gt; On Thu, Sep 21, 2017 at 4:16 PM, Piotr Kliczewski<br>

&gt;&gt; &lt;<a href="mailto:piotr.kliczewski@gmail.com">piotr.kliczewski@gmail.com</a>&gt; wrote:<br>

&gt;&gt;&gt;<br>

&gt;&gt;&gt; Neil,<br>

&gt;&gt;&gt;<br>

&gt;&gt;&gt; You checked both nodes what about the engine? Can you check engine certs?<br>

&gt;&gt;&gt; You can find more info where they are located here [1].<br>

&gt;&gt;&gt;<br>

&gt;&gt;&gt; Thanks,<br>

&gt;&gt;&gt; Piotr<br>

&gt;&gt;&gt;<br>

&gt;&gt;&gt; [1]<br>

&gt;&gt;&gt; <a href="https://www.ovirt.org/develop/release-management/features/infra/pki/#ovirt-engine" rel="noreferrer" target="_blank">https://www.ovirt.org/develop/<wbr>release-management/features/<wbr>infra/pki/#ovirt-engine</a><br>

&gt;&gt;&gt;<br>

&gt;&gt;&gt; On Thu, Sep 21, 2017 at 3:26 PM, Neil &lt;<a href="mailto:nwilson123@gmail.com">nwilson123@gmail.com</a>&gt; wrote:<br>

&gt;&gt;&gt; &gt; Hi guys,<br>

&gt;&gt;&gt; &gt;<br>

&gt;&gt;&gt; &gt; Please could someone assist, my cluster is down and I can&#39;t access my<br>

&gt;&gt;&gt; &gt; vm&#39;s<br>

&gt;&gt;&gt; &gt; to switch some of them back on.<br>

&gt;&gt;&gt; &gt;<br>

&gt;&gt;&gt; &gt; I&#39;m seeing the following error in the engine.log however I&#39;ve checked<br>

&gt;&gt;&gt; &gt; my<br>

&gt;&gt;&gt; &gt; certs on my hosts (as some of the goolge results said to check), but<br>

&gt;&gt;&gt; &gt; the<br>

&gt;&gt;&gt; &gt; certs haven&#39;t expired...<br>

&gt;&gt;&gt; &gt;<br>

&gt;&gt;&gt; &gt;<br>

&gt;&gt;&gt; &gt; 2017-09-21 15:09:45,077 ERROR<br>

&gt;&gt;&gt; &gt; [org.ovirt.engine.core.<wbr>vdsbroker.vdsbroker.<wbr>GetCapabilitiesVDSCommand]<br>

&gt;&gt;&gt; &gt; (DefaultQuartzScheduler_<wbr>Worker-4) Command<br>

&gt;&gt;&gt; &gt; GetCapabilitiesVDSCommand(<wbr>HostName<br>

&gt;&gt;&gt; &gt; = <a href="http://node02.mydomain.za" rel="noreferrer" target="_blank">node02.mydomain.za</a>, HostId = d2debdfe-76e7-40cf-a7fd-<wbr>78a0f50f14d4,<br>

&gt;&gt;&gt; &gt; vds=Host[<a href="http://node02.mydomain.za" rel="noreferrer" target="_blank">node02.mydomain.za</a>]) execution failed. Exception:<br>

&gt;&gt;&gt; &gt; VDSNetworkException: javax.net.ssl.<wbr>SSLHandshakeException: Received<br>

&gt;&gt;&gt; &gt; fatal<br>

&gt;&gt;&gt; &gt; alert: certificate_expired<br>

&gt;&gt;&gt; &gt; 2017-09-21 15:09:45,086 ERROR<br>

&gt;&gt;&gt; &gt; [org.ovirt.engine.core.<wbr>vdsbroker.vdsbroker.<wbr>GetCapabilitiesVDSCommand]<br>

&gt;&gt;&gt; &gt; (DefaultQuartzScheduler_<wbr>Worker-10) Command<br>

&gt;&gt;&gt; &gt; GetCapabilitiesVDSCommand(<wbr>HostName = <a href="http://node01.mydomain.za" rel="noreferrer" target="_blank">node01.mydomain.za</a>, HostId =<br>

&gt;&gt;&gt; &gt; b108549c-1700-11e2-b936-<wbr>9f5243b8ce13, vds=Host[<a href="http://node01.mydomain.za" rel="noreferrer" target="_blank">node01.mydomain.za</a>])<br>

&gt;&gt;&gt; &gt; execution failed. Exception: VDSNetworkException:<br>

&gt;&gt;&gt; &gt; javax.net.ssl.<wbr>SSLHandshakeException: Received fatal alert:<br>

&gt;&gt;&gt; &gt; certificate_expired<br>

&gt;&gt;&gt; &gt; 2017-09-21 15:09:48,173 ERROR<br>

&gt;&gt;&gt; &gt;<br>

&gt;&gt;&gt; &gt; My engine and host info is below...<br>

&gt;&gt;&gt; &gt;<br>

&gt;&gt;&gt; &gt; [root@engine01 ovirt-engine]# rpm -qa | grep -i ovirt<br>

&gt;&gt;&gt; &gt; ovirt-engine-lib-3.4.0-1.el6.<wbr>noarch<br>

&gt;&gt;&gt; &gt; ovirt-engine-restapi-3.4.0-1.<wbr>el6.noarch<br>

&gt;&gt;&gt; &gt; ovirt-engine-setup-plugin-<wbr>ovirt-engine-3.4.0-1.el6.<wbr>noarch<br>

&gt;&gt;&gt; &gt; ovirt-engine-3.4.0-1.el6.<wbr>noarch<br>

&gt;&gt;&gt; &gt; ovirt-engine-setup-plugin-<wbr>websocket-proxy-3.4.0-1.el6.<wbr>noarch<br>

&gt;&gt;&gt; &gt; ovirt-host-deploy-java-1.2.0-<wbr>1.el6.noarch<br>

&gt;&gt;&gt; &gt; ovirt-engine-setup-3.4.0-1.<wbr>el6.noarch<br>

&gt;&gt;&gt; &gt; ovirt-host-deploy-1.2.0-1.el6.<wbr>noarch<br>

&gt;&gt;&gt; &gt; ovirt-engine-backend-3.4.0-1.<wbr>el6.noarch<br>

&gt;&gt;&gt; &gt; ovirt-image-uploader-3.4.0-1.<wbr>el6.noarch<br>

&gt;&gt;&gt; &gt; ovirt-engine-tools-3.4.0-1.<wbr>el6.noarch<br>

&gt;&gt;&gt; &gt; ovirt-engine-sdk-python-3.4.0.<wbr>7-1.el6.noarch<br>

&gt;&gt;&gt; &gt; ovirt-engine-webadmin-portal-<wbr>3.4.0-1.el6.noarch<br>

&gt;&gt;&gt; &gt; ovirt-engine-cli-3.4.0.5-1.<wbr>el6.noarch<br>

&gt;&gt;&gt; &gt; ovirt-engine-setup-base-3.4.0-<wbr>1.el6.noarch<br>

&gt;&gt;&gt; &gt; ovirt-iso-uploader-3.4.0-1.<wbr>el6.noarch<br>

&gt;&gt;&gt; &gt; ovirt-engine-userportal-3.4.0-<wbr>1.el6.noarch<br>

&gt;&gt;&gt; &gt; ovirt-log-collector-3.4.1-1.<wbr>el6.noarch<br>

&gt;&gt;&gt; &gt; ovirt-engine-websocket-proxy-<wbr>3.4.0-1.el6.noarch<br>

&gt;&gt;&gt; &gt; ovirt-engine-setup-plugin-<wbr>ovirt-engine-common-3.4.0-1.<wbr>el6.noarch<br>

&gt;&gt;&gt; &gt; ovirt-engine-dbscripts-3.4.0-<wbr>1.el6.noarch<br>

&gt;&gt;&gt; &gt; [root@engine01 ovirt-engine]# cat /etc/redhat-release<br>

&gt;&gt;&gt; &gt; CentOS release 6.5 (Final)<br>

&gt;&gt;&gt; &gt;<br>

&gt;&gt;&gt; &gt;<br>

&gt;&gt;&gt; &gt; [root@node02 ~]# openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.<wbr>pem<br>

&gt;&gt;&gt; &gt; -enddate<br>

&gt;&gt;&gt; &gt; -noout ; date<br>

&gt;&gt;&gt; &gt; notAfter=May 27 08:36:17 2019 GMT<br>

&gt;&gt;&gt; &gt; Thu Sep 21 15:18:22 SAST 2017<br>

&gt;&gt;&gt; &gt; CentOS release 6.5 (Final)<br>

&gt;&gt;&gt; &gt; [root@node02 ~]# rpm -qa | grep vdsm<br>

&gt;&gt;&gt; &gt; vdsm-4.14.6-0.el6.x86_64<br>

&gt;&gt;&gt; &gt; vdsm-python-4.14.6-0.el6.x86_<wbr>64<br>

&gt;&gt;&gt; &gt; vdsm-cli-4.14.6-0.el6.noarch<br>

&gt;&gt;&gt; &gt; vdsm-xmlrpc-4.14.6-0.el6.<wbr>noarch<br>

&gt;&gt;&gt; &gt; vdsm-python-zombiereaper-4.14.<wbr>6-0.el6.noarch<br>

&gt;&gt;&gt; &gt;<br>

&gt;&gt;&gt; &gt;<br>

&gt;&gt;&gt; &gt; [root@node01 ~]# openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.<wbr>pem<br>

&gt;&gt;&gt; &gt; -enddate<br>

&gt;&gt;&gt; &gt; -noout ; date<br>

&gt;&gt;&gt; &gt; notAfter=Jun 13 16:09:41 2018 GMT<br>

&gt;&gt;&gt; &gt; Thu Sep 21 15:18:52 SAST 2017<br>

&gt;&gt;&gt; &gt; CentOS release 6.5 (Final)<br>

&gt;&gt;&gt; &gt; [root@node01 ~]# rpm -qa | grep -i vdsm<br>

&gt;&gt;&gt; &gt; vdsm-4.14.6-0.el6.x86_64<br>

&gt;&gt;&gt; &gt; vdsm-xmlrpc-4.14.6-0.el6.<wbr>noarch<br>

&gt;&gt;&gt; &gt; vdsm-cli-4.14.6-0.el6.noarch<br>

&gt;&gt;&gt; &gt; vdsm-python-zombiereaper-4.14.<wbr>6-0.el6.noarch<br>

&gt;&gt;&gt; &gt; vdsm-python-4.14.6-0.el6.x86_<wbr>64<br>

&gt;&gt;&gt; &gt;<br>

&gt;&gt;&gt; &gt; Please could I have some assistance, I&#39;m rater desperate.<br>

&gt;&gt;&gt; &gt;<br>

&gt;&gt;&gt; &gt; Thank you.<br>

&gt;&gt;&gt; &gt;<br>

&gt;&gt;&gt; &gt; Regards.<br>

&gt;&gt;&gt; &gt;<br>

&gt;&gt;&gt; &gt; Neil Wilson<br>

&gt;&gt;&gt; &gt;<br>

&gt;&gt;&gt; &gt;<br>

&gt;&gt;&gt; &gt;<br>

&gt;&gt;&gt; &gt; ______________________________<wbr>_________________<br>

&gt;&gt;&gt; &gt; Users mailing list<br>

&gt;&gt;&gt; &gt; <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>

&gt;&gt;&gt; &gt; <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/users</a><br>

&gt;&gt;&gt; &gt;<br>

&gt;&gt;<br>

&gt;&gt;<br>

&gt;<br>

</div></div></blockquote></div><br></div>