Has anyone seen or had this issue? I am not having luck or if someone could explain the working logic of engine talking to vdsm with certs.
Don On Mon, Oct 10, 2022 at 9:45 PM Don Dupuis <[email protected]> wrote: > Hello > I have oVirt cluster with 25 hypervisors that has been running fine for a > couple of years and today all of a sudden engine was getting ssl errors > talking to the hypervisors. Error in engine.log is: > > 2022-10-10 16:20:23,562-05 ERROR > [org.ovirt.engine.core.vdsbroker.monitoring.HostMonitoring] > (EE-ManagedThreadFactory-engineScheduled-Thread-47) [] Unable to > RefreshCapabilities: VDSNetworkException: VDSGenericException: > VDSNetworkException: Received fatal alert: unknown_ca > > Certificates don't seem expired and I ran the command: > > openssl x509 -noout -in /etc/pki/ovirt-engine/ca.pem -fingerprint > > openssl x509 -noout -in /etc/pki/vdsm/certs/cacert.pem -fingerprint > # openssl x509 -noout -in /etc/pki/vdsm/libvirt-spice/ca-cert.pem -fingerprint > # openssl x509 -noout -in /etc/pki/vdsm/libvirt-vnc/ca-cert.pem -fingerprint > # openssl x509 -noout -in /etc/pki/CA/cacert.pem -fingerprint > > Those commands show that the fingerprints are the same. > > openssl verify -CAfile /etc/pki/ovirt-engine/ca.pem > /etc/pki/ovirt-engine/certs/engine.cer > # openssl verify -CAfile /etc/pki/ovirt-engine/ca.pem > /etc/pki/ovirt-engine/certs/apache.cer > # openssl verify -CAfile /etc/pki/ovirt-engine/ca.pem > /etc/pki/ovirt-engine/certs/websocket-proxy.cer > # openssl verify -CAfile /etc/pki/ovirt-engine/ca.pem > /etc/pki/ovirt-engine/certs/jboss.cer > # openssl verify -CAfile /etc/pki/ovirt-engine/ca.pem > /etc/pki/ovirt-engine/certs/imageio-proxy.cer > # openssl verify -CAfile /etc/pki/ovirt-engine/ca.pem > /etc/pki/ovirt-engine/certs/ovirt-provider-ovn.cer > > These verification commands come back as OK. I am having trouble finding my > problem. Does anyone have any suggestions? I am not finding any hits on > google and unknown_ca. > > Also the vdsm log on hypervisors has this: > > 2022-10-10 15:54:42,843-0500 ERROR (Reactor thread) > [ProtocolDetector.SSLHandshakeDispatcher] ssl handshake: SSLError, address: > ::ffff:192.168.50.26 (sslutils:263) > > Thanks > > Don > >
_______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/HCJZ34SQQGN5EUVP77RMRJTJCGLOA6YT/
