[ovirt-users] Re: [EXT]Re: Re: [SOLVED] Re: Re: How to re-enroll (or renew) host certificates for a single-host hosted-engine deployment?

[Cosmin Cioranu via Users]

I have checked the solution and it works, apart from the console feature 
of the virtual machine.

In my case, once a got control over the host, migrated all the vms and 
then Maintenance and then Enroll Certificate.

So: an updated version

```
    set -x ## Make the script echo everything out, so if it fails you 
know where
    set -e ## Make the script STOP on any error
    set my_date="$(date +"%Y%m%d%H%M%S")"

    # Backup the existing CA files
    /bin/cp -p /etc/pki/ovirt-engine/private/ca.pem
    /etc/pki/ovirt-engine/private/ca.pem.$my_date
    /bin/cp -p /etc/pki/ovirt-engine/ca.pem{,.$my_date}
    /bin/mv /etc/pki/ovirt-engine/certs/ca.der{,.$my_date}

    # Sign the key
    openssl x509 -signkey /etc/pki/ovirt-engine/private/ca.pem -in
    /etc/pki/ovirt-engine/ca.pem -out /etc/pki/ovirt-engine/ca.pem.new 
-days 3650 -sha256
    openssl x509 -in /etc/pki/ovirt-engine/ca.pem.new -text >
    /etc/pki/ovirt-engine/ca.pem.new.full

    # Put the files into place
    /bin/mv -f /etc/pki/ovirt-engine/ca.pem.new.full 
/etc/pki/ovirt-engine/ca.pem
    /bin/cp -p /etc/pki/ovirt-engine/ca.pem.new 
/etc/pki/ovirt-engine/certs/ca.der
    ```

    Now you need to copy the new CA file over to the host:
    Source: ENGINE `/etc/pki/ovirt-engine/ca.pem`
    Dest: HOST `/tmp/new-ca.pem`

    ########### On the oVirt Host ###########

    # Create a CSR using the information from the existing certificate 
and the existing key:
    openssl x509 -x509toreq -in /etc/pki/libvirt/clientcert.pem -out 
/tmp/HOST.csr -signkey /etc/pki/libvirt/private/clientkey.pem

    Now you need to copy the new CA file over to the host:
    Source: HOST `/tmp/HOST.csr`
    Dest: ENGINE `/etc/pki/ovirt-engine/requests/full.hostname.com.req`

    ########### On the ENGINE HOST ###########

    # Now sign it:
    /usr/share/ovirt-engine/bin/pki-enroll-request.sh 
--name=full.hostname.com
    # NB -- adding --san results in an error: --san=host.na.me (So no 
Subject Alternate
    Names)

    Now you need to copy the new Certificate file over to the host:
    Source: ENGINE /etc/pki/ovirt-engine/certs/full.hostname.com.cer
    Dest: HOST /tmp/new-cert.pem

    ########### On the oVirt Host ########### (see bellow the written 
script)

#!/bin/bash
#set -x
set -e

mydate="$(date +"%Y%m%d%H%M%S")"
echo "[.] reference ${mydate}"
for x in /tmp/new-ca.pem  /tmp/new-cert.pem ; do
    echo -n "[.] checking $x"
    if [ ! -e "$x" ]; then
          echo "[not found]"
          exit

    else
        echo "[found]"
    fi
done

for x in /etc/pki/libvirt/clientcert.pem 
/etc/pki/vdsm/certs/vdsmcert.pem 
/etc/pki/vdsm/libvirt-migrate/server-cert.pem 
/etc/pki/vdsm/libvirt-spice/server-cert.pem 
/etc/pki/vdsm/libvirt-vnc/server-cert.pem; do
    echo -n "copying $x to ${x}.${mydate}"
    /bin/mv -n $x ${x}.${mydate}
    echo "[done]";
    echo -n "[.] copying /tmp/new-cert.pem to $x"
    /bin/cp /tmp/new-cert.pem ${x}
    echo "[done]"
    echo -n "[.] setting permissions to $x 644 root:kvm"
    chmod 644 ${x}
    chown root:kvm ${x}
    echo "[done]"
done


for x in /etc/pki/vdsm/libvirt-migrate/ca-cert.pem 
/etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-vnc/ca-cert.pem 
/etc/pki/vdsm/libvirt-spice/ca-cert.pem /etc/pki/CA/cacert.pem; do
    echo -n "copying $x to ${x}.${mydate}"
    /bin/mv -n $x ${x}.${mydate}
    echo "[done]"
    echo -n "[.] copying /tmp/new-ca.pem to $x"
    /bin/cp /tmp/new-ca.pem ${x}
    echo "[done]";
    echo -n "[.] setting permissions to $x 644 root:kvm"
    chmod 644 ${x}
    chown root:kvm ${x}
    echo "[done]"
done

for x in /etc/pki/vdsm/keys/vdsmkey.pem; do
    echo -n "copying $x to ${x}.${mydate}"
    /bin/mv -n $x ${x}.${mydate}
    echo "[done]"
    echo -n "[.] copying /etc/pki/libvirt/private/clientkey.pem to $x"
    /bin/cp /etc/pki/libvirt/private/clientkey.pem ${x}
    echo "[done]";
    echo -n "[.] setting permissions to $x 644 root:kvm"
    chmod 644 ${x}
    chown root:kvm ${x}
    echo "[done]"
done

echo "[.] Checks "
openssl x509 -in /etc/pki/libvirt/clientcert.pem -noout -dates
openssl x509 -in /etc/pki/vdsm/certs/cacert.pem -noout -dates
openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem -noout -dates
openssl x509 -in /etc/pki/vdsm/libvirt-migrate/ca-cert.pem -noout -dates
openssl x509 -in /etc/pki/vdsm/libvirt-migrate/client-cert.pem -noout -dates
openssl x509 -in /etc/pki/vdsm/libvirt-migrate/server-cert.pem -noout -dates
openssl x509 -in /etc/pki/vdsm/libvirt-spice/ca-cert.pem -noout -dates
openssl x509 -in /etc/pki/vdsm/libvirt-spice/server-cert.pem -noout -dates

````

Note: I whould backup the entire pki folder on both node and engine.


_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/66WMX7EGTZWYKBUPH7DGF4FZHXSHQEQO/