On Thu, Sep 3, 2020 at 2:56 PM Pierre pit <[email protected]> wrote:
> I have a communication problem between all the nodes and the manager > following the upgrade from 4.3 to 4.4. I followed the procedure of update > 4.3 to 4.4 everything worked correctly, according to the import export > scripts as well as the installation setup on the new manager in 4.4, all is > ok. Only after connection to the manager, all the nodes are in a down > state, there is no more communication between the manager newly installed > in 4.4 and the nodes still in production in 4.3. > > In the manager I have this message for all the nodes: > ` VDSM virtdell8 command Get Host Capabilities failed: PKIX path > validation failed: java.security.cert.CertPathValidatorException: Algorithm > constraints check failed on signature algorithm: SHA256withRSA` > Hi Pierre, Hmm, the following error is a bit misleading, but it gives a clue to me. Could you please check the key size of your ovirt-engine CA key? openssl x509 -text -noout -in /etc/pki/ovirt-engine/ca.pem | grep 'RSA Public-Key' If your key size is less than 2048 bits, then you need to change crypto policy of your CentOS 8 to LEGACY using below steps: 1. Execute 'update-crypto-policies --set LEGACY' 2. Reboot the machine That should mitigate the issue, but I'm really curious, this should not happen unless your engine was installed in oVirt 3.0 era and then continuously upgraded up to 4.4, because we have switched to 2048 bits in 2012: https://gerrit.ovirt.org/4389 Is this your case? Regards, Martin > And on the nodes: > ` 2020-09-01 17:38:13,083+0200 ERROR (Reactor thread) > [ProtocolDetector.SSLHandshakeDispatcher] ssl handshake: SSLError, address: > ::ffff:XXX.XXX.XXX.XXX (sslutils:264) > vdsm[4400]: ERROR ssl handshake: SSLError, address: > ::ffff:XXX.XXX.XXX.XXX` > > After a search on the forums I found a similar error on version 4.2 only > the solution of comment `ssl_excludes` in the `/etc/vdsm/vdsm.conf` file > but does not apply to my problem. > > I unfortunately had to backtrack because it was no longer possible to > control ovirt and use the manager for our production. the new machine with > the manager in 4.4 is offline while a solution is found > > Do you know where should I look in order to solve this problem? > > thank you in advance > Pierre > _______________________________________________ > Users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/[email protected]/message/CE34HLTRN54HVOJNK3ZCNXH66CIYFSQS/ > -- Martin Perina Manager, Software Engineering Red Hat Czech s.r.o.
_______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/7HGFTJMMZYUUGW2O3IMP27RKABRISTLD/
