On Wed, Jun 26, 2019 at 10:42 PM Strahil <[email protected]> wrote: > > What about setting the date and time manually somewhere at 2016 on all hosts > and blockking ntp at all ? > > Then the certs will be still valid and can be renewed ? > > Just asking... Not sure what will be the outcome.
Glad you asked. Stefano's certs were not too old, they didn't expire. They were invalid because they didn't have a timezone field. See also: https://www.ovirt.org/develop/release-management/features/infra/pki-renew.html https://bugzilla.redhat.com/show_bug.cgi?id=1210486 Best regards, > > Best Regards, > Strahil NikolovOn Jun 25, 2019 12:31, Yedidyah Bar David <[email protected]> > wrote: > > > > On Tue, Jun 25, 2019 at 12:28 PM Stefano Danzi <[email protected]> wrote: > > > > > > > > > > > > Il 25/06/2019 10:08, Yedidyah Bar David ha scritto: > > > > On Tue, Jun 25, 2019 at 10:26 AM Stefano Danzi <[email protected]> wrote: > > > >> > > > >> > > > >> Il 25/06/2019 08:27, Yedidyah Bar David ha scritto: > > > >>> On Mon, Jun 24, 2019 at 7:56 PM Stefano Danzi <[email protected]> > > > >>> wrote: > > > >>>> I've found that this issue is related to: > > > >>>> > > > >>>> https://bugzilla.redhat.com/show_bug.cgi?id=1648190 > > > >>> Are you sure? > > > >>> > > > >>> That bug is about an old cert, generated by an old version, likely > > > >>> before we fixed bug 1210486 (even though it's not mentioned in above > > > >>> bug). > > > >> Yes! Malformed "Not Before" date/time in certs > > > >> > > > >>>> But i've no idea how fix it.... > > > >>>> > > > >>>> Il 24/06/2019 18:19, Stefano Danzi ha scritto: > > > >>>>> I've just upgraded my test environment from ovirt 4.2 to 4.3.4. > > > >>> Was it installed as 4.2, or upgraded? From which first version? > > > >> I don't remember the first installed version. Maybe 4.0... I always > > > >> upgraded the original installation. > > > >> > > > >>>>> System has only one host (Centos 7.6.1810) and run a self hosted > > > >>>>> engine. > > > >>>>> > > > >>>>> After upgrade I'm not able to run vdsmd (and so hosted engine....) > > > >>>>> > > > >>>>> Above the error in log: > > > >>>>> > > > >>>>> journalctl -xe > > > >>>>> > > > >>>>> -- L'unità libvirtd.service ha iniziato la fase di avvio. > > > >>>>> giu 24 18:09:17 ovirt01.hawai.lan libvirtd[8176]: 2019-06-24 > > > >>>>> 16:09:17.006+0000: 8176: info : libvirt version: 4.5.0, package: > > > >>>>> 10.el7_6.12 (CentOS BuildSystem <http://bugs.centos.org>, > > > >>>>> 2019-06-20-15:01:15, x86-01.bsys. > > > >>>>> giu 24 18:09:17 ovirt01.hawai.lan libvirtd[8176]: 2019-06-24 > > > >>>>> 16:09:17.006+0000: 8176: info : hostname: ovirt01.hawai.lan > > > >>>>> giu 24 18:09:17 ovirt01.hawai.lan libvirtd[8176]: 2019-06-24 > > > >>>>> 16:09:17.006+0000: 8176: error : > > > >>>>> virNetTLSContextLoadCertFromFile:513 > > > >>>>> : Unable to import server certificate > > > >>>>> /etc/pki/vdsm/certs/vdsmcert.pem > > > >>> Did you check this file? Does it exist? > > > >>> > > > >>> ls -l /etc/pki/vdsm/certs/vdsmcert.pem > > > >>> > > > >>> Can vdsm user read it? > > > >>> > > > >>> su - vdsm -s /bin/bash -c 'cat /etc/pki/vdsm/certs/vdsmcert.pem > > > > >>> /dev/null' > > > >>> > > > >>> Please check/share output of: > > > >>> > > > >>> openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem -text > > > >>> > > > >>> Thanks and best regards, > > > >> vdsm can read vdsmcert. The problem is "Not Before" date: > > > >> > > > >> [root@ovirt01 ~]# su - vdsm -s /bin/bash -c 'openssl x509 -in > > > >> /etc/pki/vdsm/certs/vdsmcert.pem -text' > > > >> Certificate: > > > >> Data: > > > >> Version: 3 (0x2) > > > >> Serial Number: 4102 (0x1006) > > > >> Signature Algorithm: sha1WithRSAEncryption > > > >> Issuer: C=US, O=hawai.lan, CN=ovirtbk-sheng.hawai.lan.63272 > > > >> Validity > > > >> Not Before: Feb 4 08:36:07 2015 > > > >> Not After : Feb 4 08:36:07 2020 GMT > > > >> [CUT] > > > >> > > > >> > > > >> [root@ovirt01 ~]# su - vdsm -s /bin/bash -c 'openssl x509 -in > > > >> /etc/pki/vdsm/certs/cacert.pem -text' > > > >> Certificate: > > > >> Data: > > > >> Version: 3 (0x2) > > > >> Serial Number: 4096 (0x1000) > > > >> Signature Algorithm: sha1WithRSAEncryption > > > >> Issuer: C=US, O=hawai.lan, CN=ovirtbk-sheng.hawai.lan.63272 > > > >> Validity > > > >> Not Before: Feb 4 00:06:25 2015 > > > >> Not After : Feb 2 00:06:25 2025 GMT > > > >> > > > > OK :-( > > > > > > > > So it will be rather difficult to fix. > > > > > > > > You should have been prompted by engine-setup long ago to renew PKI, > > > > weren't you? And when you did, didn't you have to reinstall (or Re- > > > > Enroll Certificates, in later versions) all hosts? > > > > > > I don't remember to ever seen a question about this during engine-setup, > > > but it could be. > > > In /etc/pki/vdsm/certs/ I can see an old cert and ca with subjet: > > > > > > [root@ovirt01 ~]# su - vdsm -s /bin/bash -c 'openssl x509 -in > > > /etc/pki/vdsm/certs/cacert.pem.20150205093608 -text' > > > Certificate: > > > Data: > > > Version: 3 (0x2) > > > Serial Number: 1423056193 (0x54d21d41) > > > Signature Algorithm: sha256WithRSAEncryption > > > Issuer: CN=VDSM Certificate Authority > > > Validity > > > Not Before: Feb 4 13:23:13 2015 GMT > > > Not After : Feb 4 13:23:13 2016 GMT > > > Subject: CN=VDSM Certificate Authority > > > Subject Public Key Info: > > > > > > [CUT] > > > > > > [root@ovirt01 ~]# su - vdsm -s /bin/bash -c 'openssl x509 -in > > > /etc/pki/vdsm/certs/vdsmcert.pem.20150205093609 -text' > > > Certificate: > > > Data: > > > Version: 3 (0x2) > > > Serial Number: 1423056193 (0x54d21d41) > > > Signature Algorithm: sha256WithRSAEncryption > > > Issuer: CN=VDSM Certificate Authority > > > Validity > > > Not Before: Feb 4 13:23:13 2015 GMT > > > Not After : Feb 4 13:23:13 2016 GMT > > > Subject: CN=ovirt01.hawai.lan, O=VDSM Certificate > > > Subject Public Key Info: > > > Public Key Algorithm: rsaEncryption > > > > > > > > > I think that was certs made during first hosted engine installation. > > > Could it work if I manually create certs like this? > > > Just to start libvirtd, vdsm and hosted-engine. > > > > I think it's worth a try. Just create a self-signed CA, a keypair > > signed by it, and place them correctly, should work. > > > > The engine won't be able to talk with the host, but you can then more > > easily reinstall/re-enroll-certs. > > > > Good luck, > > -- > > Didi > > _______________________________________________ > > Users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > > oVirt Code of Conduct: > > https://www.ovirt.org/community/about/community-guidelines/ > > List Archives: > > https://lists.ovirt.org/archives/list/[email protected]/message/LBD33ESAF534F7SQKA53WBXXAAQ2BIJK/ -- Didi _______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/S52E5GERSI27X4JH3HVBZLAL6755ZWSV/
