Nathanaël Blanchet <blanc...@abes.fr> writes: > Hi, > > Some of my hosts came into a non responsive state since there > certicate had expired: > > VDSM palomo command Get Host Capabilities failed: PKIX path validation > failed: java.security.cert.CertPathValidatorException: validity check > failed > > |openssl x509 -noout -enddate -in /etc/pki/vdsm/certs/vdsmcert.pem > palomo notAfter=Apr 6 11:09:05 2022 GMT | > > The recommanded path to update certificates is to put hosts into > maintenance and enroll certificates. > But I can't anymore live migrate vms since the certificate is expired: > > 2022-04-13 10:34:12,022+0200 ERROR (migsrc/bf0f7628) [virt.vm] > (vmId='bf0f7628-d70b-47a4-8569-5430e178f429') [SSL: > CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897) > (migration:331) > > > So is there a way to disable tls to migrate these vms so as to put the > host into maintenance?
Do you use encrypted migrations? I think the client certificate is verified only with encrypted migrations. You can disable encrypted migrations in the web UI among other migration settings in cluster or VM settings. If it fails also with non-encrypted migrations, *maybe* removing the client certificate could help. If disabling encrypted migrations is not possible, you can try to set migrate_tls_x509_verify option in /etc/libvirt/qemu.conf on the destination host to 0 (libvirt restart may be needed to apply the changed setting). I guess there could be also a way to run the Ansible role for updating the certificates manually (not recommended etc. etc. but perhaps still useful in this case) without putting the host into the maintenance. Just a speculation, I don’t know whether it’s actually possible and how to do it if it is. Regards, Milan > No possibility of migration would imply to stop production vms, this > is what we absolutely don't want! > > Any help much appreciated. > > || _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/65YXCBQAD47KARXCVGUYVBMMBQMYLVFV/
