Hello, On Tue, Feb 1, 2022 at 8:46 AM Yedidyah Bar David <d...@redhat.com> wrote:
> On Mon, Jan 31, 2022 at 6:06 PM Diggy Mc <d...@bornfree.org> wrote: > > > > > On Sun, Jan 30, 2022 at 8:16 PM Diggy Mc <d03(a)bornfree.org> > wrote: > > > > > > If it's a certificate created by engine-setup for you, you can run > > > 'engine-setup' and it can recreate it for you. If you do not want to > > > update the system, you can run it with 'engine-setup --offline'. > > > Otherwise, if it's a certificate you got elsewhere, you should update > > > it manually, perhaps following some of the steps of the procedure to > > > replace the certificate - the one you followed originally. > > > > > > Good luck and best regards, > > > > > > It is the original certificate created during initial install/setup. If > possible, I would like to have another oVirt generated certificate without > upgrading the engine's version. Where can I find instructions on how to do > that? > > What would be the pros and cons of generating my own self-signed > certificate > > Generally speaking, this is recommended. The main "con" is simply that it > requires some work and responsibility. > > > with a longer validity period? > > You already linked to the pki-renew page. This one links at several > bugs, which link to several patches, which (also) explain the reasoning, > also linking e.g. at: > > > https://www.thesslstore.com/blog/ssl-certificate-validity-will-be-limited-to-one-year-by-apples-safari-browser/ > https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/ > > Latter is old, this one is newer (found by searching their site for "398 > days"): > > https://cabforum.org/2021/04/22/ballot-sc42-398-day-re-use-period/ > > > Where can I find instructions on that? > > > https://www.ovirt.org/documentation/administration_guide/#appe-Red_Hat_Enterprise_Virtualization_and_SSL > > Actually creating your own CA and signing certs with it is not in the > scope of this document. You can search the net and find several guides > on how to do that, or you can use the services of an existing CA - > letsencrypt is quite popular these days, being free (gratis). > > > Again, thanks for your help. > > Good luck and best regards, > -- > Didi > Unlike my predecessor, I not only lost my vmengine, I also lost the vdsm services on all hosts. All seem to be hitting the same issue - read, the certs under /etc/pki/vdsm/certs and /etc/pki/ovirt* all expired a couple of days ago. As such, the hosted engine cannot go into global maintenance mode, preventing engine-setup --offline from running. Two questions: 1. Is there any automated method to renew the vdsm certificates? 2. Assuming the previous answer is "no", assuming I'm somewhat versed in using openssl, how can I manually renew them? Thanks, Gilboa
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/P3QPMCCZJCS3BC3AAXBGJMBDDSZTL2DB/
