[ovirt-users] Re: /etc/pki/ovirt-engine/ca.pem is not on a local filesystem
Hi Didi, Patch has been submitted at https://github.com/oVirt/ovirt-engine/pull/891. Thanks. El 2023-11-14 10:04, Yedidyah Bar David escribió: Hi, On Tue, Nov 14, 2023 at 11:31 AM wrote: Hi Didi, Thanks for the reply. Finally solved it by exporting LANG=C in the shell before running the command. Seems that the "pki-enroll-request.sh" does this check: LOCK="${PKIDIR}/${CA_FILE}".pem df -l "${LOCK}" 2> /dev/null | grep -q "File" || die "${LOCK} is not on a local filesystem" However, if LANG is a different language than C, the output will vary and the grep command will return empty. It's working now. Thanks. Thanks for the update! You might want to push a patch to enforce the locale for the `df` command (e.g. 'LC_ALL=C df -l...'). There are a few such places scattered around the code, but nothing systematic - and I think we do want, in general, to have localized error messages, so can't do this "too-high" in the execution hierarchy. Best regards, El 2023-11-14 09:12, Yedidyah Bar David escribió: On Tue, Nov 14, 2023 at 10:49 AM wrote: Hi, We're running oVirt 4.5.4, recently we got this alert: Engine's certification is about to expire at 2023-11-19. Please renew the engine's certification. So I'm trying to run: engine-setup --offline However, it fails with the following error: [ INFO ] Upgrading CA [ INFO ] Renewing engine certificate [ ERROR ] Failed to execute stage 'Misc configuration': Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute Digging into the logs I can see this: 2023-11-14 08:36:22,848+ DEBUG otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca [1] [1] plugin.execute:926 execute-output: ('/usr/share/ovirt-engine/bin/pki-enroll- pkcs12.sh', '--name=engine', '--password=**FILTERED**', '--subject=/C=US/O=stic.ull.es/CN=fqdn.es [2] [2]', '--san=DNS:fqdn.es [3] [3]', '--keep-key') stderr: Ignoring -days; not generating a certificate /etc/pki/ovirt-engine/ca.pem is not on a local filesystem Cannot sign request 2023-11-14 08:36:22,849+ DEBUG otopi.context context._executeMethod:145 method exception Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/otopi/context.py", line 132, in _executeMethod method['method']() File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py", line 753, in _miscUpgrade self._enrollCertificates(True, uninstall_files) File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py", line 360, in _enrollCertificates shortLife=entry['shortLife'], File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py", line 250, in _enrollCertificate + (('--days=398',) if shortLife else ()) File "/usr/lib/python3.6/site-packages/otopi/plugin.py", line 931, in execute command=args[0], RuntimeError: Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute 2023-11-14 08:36:22,852+ ERROR otopi.context context._executeMethod:154 Failed to execute stage 'Misc configuration': Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute However, the file exists and is on a local filesystem: # ll /etc/pki/ovirt-engine/ca.pem -rw-r--r--. 1 root root 4516 jun 24 2015 /etc/pki/ovirt-engine/ca.pem This does not prove that it's on a local filesystem - can be on nfs, and nfs locking is sometimes problematic, so we prevented that. See pki-enroll-request.sh. Can someone shed some light about why is this failing and how to solve it, please? What output do you get for: df -l /etc/pki/ovirt-engine/ca.pem ? Best regards,-- Didi Links: -- [1] http://otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca [2] http://stic.ull.es/CN=fqdn.es [3] http://fqdn.es ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/YXTXJIEQRN2ZH77ZSBGW2UARPMYSPEG3/ -- Didi Links: -- [1] http://otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca [2] http://stic.ull.es/CN=fqdn.es [3] http://fqdn.es ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/6RPZKJFL5DJYXGO6O43ARR4NTU3LAK7X/
[ovirt-users] Re: /etc/pki/ovirt-engine/ca.pem is not on a local filesystem
Hi, On Tue, Nov 14, 2023 at 11:31 AM wrote: > Hi Didi, > > Thanks for the reply. > > Finally solved it by exporting LANG=C in the shell before running the > command. > > Seems that the "pki-enroll-request.sh" does this check: > >LOCK="${PKIDIR}/${CA_FILE}".pem >df -l "${LOCK}" 2> /dev/null | grep -q "File" || die "${LOCK} is not > on a local filesystem" > > However, if LANG is a different language than C, the output will vary > and the grep command will return empty. > > It's working now. Thanks. > Thanks for the update! You might want to push a patch to enforce the locale for the `df` command (e.g. 'LC_ALL=C df -l...'). There are a few such places scattered around the code, but nothing systematic - and I think we do want, in general, to have localized error messages, so can't do this "too-high" in the execution hierarchy. Best regards, > > El 2023-11-14 09:12, Yedidyah Bar David escribió: > > On Tue, Nov 14, 2023 at 10:49 AM wrote: > > > >> Hi, > >> > >> We're running oVirt 4.5.4, recently we got this alert: > >> > >> Engine's certification is about to expire at 2023-11-19. Please > >> renew > >> the engine's certification. > >> > >> So I'm trying to run: > >> > >> engine-setup --offline > >> > >> However, it fails with the following error: > >> > >> [ INFO ] Upgrading CA > >> [ INFO ] Renewing engine certificate > >> [ ERROR ] Failed to execute stage 'Misc configuration': Command > >> '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute > >> > >> Digging into the logs I can see this: > >> > >> 2023-11-14 08:36:22,848+ DEBUG > >> otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca [1] > >> plugin.execute:926 > >> execute-output: ('/usr/share/ovirt-engine/bin/pki-enroll- > >> pkcs12.sh', > >> '--name=engine', '--password=**FILTERED**', > >> '--subject=/C=US/O=stic.ull.es/CN=fqdn.es [2]', '--san=DNS:fqdn.es > >> [3]', > >> '--keep-key') stderr: > >> Ignoring -days; not generating a certificate > >> /etc/pki/ovirt-engine/ca.pem is not on a local filesystem > >> Cannot sign request > >> > >> 2023-11-14 08:36:22,849+ DEBUG otopi.context > >> context._executeMethod:145 method exception > >> Traceback (most recent call last): > >> File "/usr/lib/python3.6/site-packages/otopi/context.py", line > >> 132, > >> in _executeMethod > >> method['method']() > >> File > >> > > > "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py", > >> > >> line 753, in _miscUpgrade > >> self._enrollCertificates(True, uninstall_files) > >> File > >> > > > "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py", > >> > >> line 360, in _enrollCertificates > >> shortLife=entry['shortLife'], > >> File > >> > > > "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py", > >> > >> line 250, in _enrollCertificate > >> + (('--days=398',) if shortLife else ()) > >> File "/usr/lib/python3.6/site-packages/otopi/plugin.py", line > >> 931, > >> in execute > >> command=args[0], > >> RuntimeError: Command > >> '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute > >> 2023-11-14 08:36:22,852+ ERROR otopi.context > >> context._executeMethod:154 Failed to execute stage 'Misc > >> configuration': > >> Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to > >> > >> execute > >> > >> However, the file exists and is on a local filesystem: > >> > >> # ll /etc/pki/ovirt-engine/ca.pem > >> -rw-r--r--. 1 root root 4516 jun 24 2015 > >> /etc/pki/ovirt-engine/ca.pem > > > > This does not prove that it's on a local filesystem - can be on nfs, > > and nfs > > locking is sometimes problematic, so we prevented that. See > > pki-enroll-request.sh. > > > >> Can someone shed some light about why is this failing and how to > >> solve > >> it, please? > > > > What output do you get for: > > df -l /etc/pki/ovirt-engine/ca.pem > > ? > > > > Best regards,-- > > Didi > > > > > > Links: > > -- > > [1] http://otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca > > [2] http://stic.ull.es/CN=fqdn.es > > [3] http://fqdn.es > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/YXTXJIEQRN2ZH77ZSBGW2UARPMYSPEG3/ > -- Didi ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/HM24AGSKFJIHQYLMXZZG7LXIGPPJIJOU/
[ovirt-users] Re: /etc/pki/ovirt-engine/ca.pem is not on a local filesystem
Hi Didi, Thanks for the reply. Finally solved it by exporting LANG=C in the shell before running the command. Seems that the "pki-enroll-request.sh" does this check: LOCK="${PKIDIR}/${CA_FILE}".pem df -l "${LOCK}" 2> /dev/null | grep -q "File" || die "${LOCK} is not on a local filesystem" However, if LANG is a different language than C, the output will vary and the grep command will return empty. It's working now. Thanks. El 2023-11-14 09:12, Yedidyah Bar David escribió: On Tue, Nov 14, 2023 at 10:49 AM wrote: Hi, We're running oVirt 4.5.4, recently we got this alert: Engine's certification is about to expire at 2023-11-19. Please renew the engine's certification. So I'm trying to run: engine-setup --offline However, it fails with the following error: [ INFO ] Upgrading CA [ INFO ] Renewing engine certificate [ ERROR ] Failed to execute stage 'Misc configuration': Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute Digging into the logs I can see this: 2023-11-14 08:36:22,848+ DEBUG otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca [1] plugin.execute:926 execute-output: ('/usr/share/ovirt-engine/bin/pki-enroll- pkcs12.sh', '--name=engine', '--password=**FILTERED**', '--subject=/C=US/O=stic.ull.es/CN=fqdn.es [2]', '--san=DNS:fqdn.es [3]', '--keep-key') stderr: Ignoring -days; not generating a certificate /etc/pki/ovirt-engine/ca.pem is not on a local filesystem Cannot sign request 2023-11-14 08:36:22,849+ DEBUG otopi.context context._executeMethod:145 method exception Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/otopi/context.py", line 132, in _executeMethod method['method']() File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py", line 753, in _miscUpgrade self._enrollCertificates(True, uninstall_files) File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py", line 360, in _enrollCertificates shortLife=entry['shortLife'], File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py", line 250, in _enrollCertificate + (('--days=398',) if shortLife else ()) File "/usr/lib/python3.6/site-packages/otopi/plugin.py", line 931, in execute command=args[0], RuntimeError: Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute 2023-11-14 08:36:22,852+ ERROR otopi.context context._executeMethod:154 Failed to execute stage 'Misc configuration': Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute However, the file exists and is on a local filesystem: # ll /etc/pki/ovirt-engine/ca.pem -rw-r--r--. 1 root root 4516 jun 24 2015 /etc/pki/ovirt-engine/ca.pem This does not prove that it's on a local filesystem - can be on nfs, and nfs locking is sometimes problematic, so we prevented that. See pki-enroll-request.sh. Can someone shed some light about why is this failing and how to solve it, please? What output do you get for: df -l /etc/pki/ovirt-engine/ca.pem ? Best regards,-- Didi Links: -- [1] http://otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca [2] http://stic.ull.es/CN=fqdn.es [3] http://fqdn.es ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/YXTXJIEQRN2ZH77ZSBGW2UARPMYSPEG3/
[ovirt-users] Re: /etc/pki/ovirt-engine/ca.pem is not on a local filesystem
On Tue, Nov 14, 2023 at 10:49 AM wrote: > Hi, > > We're running oVirt 4.5.4, recently we got this alert: > >Engine's certification is about to expire at 2023-11-19. Please renew > the engine's certification. > > So I'm trying to run: > >engine-setup --offline > > However, it fails with the following error: > >[ INFO ] Upgrading CA >[ INFO ] Renewing engine certificate >[ ERROR ] Failed to execute stage 'Misc configuration': Command > '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute > > Digging into the logs I can see this: > >2023-11-14 08:36:22,848+ DEBUG > otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca plugin.execute:926 > execute-output: ('/usr/share/ovirt-engine/bin/pki-enroll- pkcs12.sh', > '--name=engine', '--password=**FILTERED**', > '--subject=/C=US/O=stic.ull.es/CN=fqdn.es', '--san=DNS:fqdn.es', > '--keep-key') stderr: >Ignoring -days; not generating a certificate >/etc/pki/ovirt-engine/ca.pem is not on a local filesystem >Cannot sign request > >2023-11-14 08:36:22,849+ DEBUG otopi.context > context._executeMethod:145 method exception >Traceback (most recent call last): > File "/usr/lib/python3.6/site-packages/otopi/context.py", line 132, > in _executeMethod >method['method']() > File > "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py", > > line 753, in _miscUpgrade >self._enrollCertificates(True, uninstall_files) > File > "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py", > > line 360, in _enrollCertificates >shortLife=entry['shortLife'], > File > "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py", > > line 250, in _enrollCertificate >+ (('--days=398',) if shortLife else ()) > File "/usr/lib/python3.6/site-packages/otopi/plugin.py", line 931, > in execute >command=args[0], >RuntimeError: Command > '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute >2023-11-14 08:36:22,852+ ERROR otopi.context > context._executeMethod:154 Failed to execute stage 'Misc configuration': > Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to > execute > > However, the file exists and is on a local filesystem: > ># ll /etc/pki/ovirt-engine/ca.pem >-rw-r--r--. 1 root root 4516 jun 24 2015 /etc/pki/ovirt-engine/ca.pem > This does not prove that it's on a local filesystem - can be on nfs, and nfs locking is sometimes problematic, so we prevented that. See pki-enroll-request.sh. > > Can someone shed some light about why is this failing and how to solve > it, please? > What output do you get for: df -l /etc/pki/ovirt-engine/ca.pem ? Best regards, -- Didi ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/NYQANBPVRZFUPMCHZIVTB2M4SVSKGASG/