[ovirt-users] Re: /etc/pki/ovirt-engine/ca.pem is not on a local filesystem

2023-11-14 Thread nicolas 

Hi Didi,

Patch has been submitted at 
https://github.com/oVirt/ovirt-engine/pull/891.


Thanks.

El 2023-11-14 10:04, Yedidyah Bar David escribió:

Hi,

On Tue, Nov 14, 2023 at 11:31 AM  wrote:


Hi Didi,

Thanks for the reply.

Finally solved it by exporting LANG=C in the shell before running
the
command.

Seems that the "pki-enroll-request.sh" does this check:

LOCK="${PKIDIR}/${CA_FILE}".pem
df -l "${LOCK}" 2> /dev/null | grep -q "File" || die "${LOCK} is
not
on a local filesystem"

However, if LANG is a different language than C, the output will
vary
and the grep command will return empty.

It's working now. Thanks.


Thanks for the update! You might want to push a patch to enforce the
locale for the `df` command (e.g. 'LC_ALL=C df -l...').

There are a few such places scattered around the code, but nothing
systematic -
and I think we do want, in general, to have localized error messages,
so can't
do this "too-high" in the execution hierarchy.

Best regards,


El 2023-11-14 09:12, Yedidyah Bar David escribió:

On Tue, Nov 14, 2023 at 10:49 AM  wrote:


Hi,

We're running oVirt 4.5.4, recently we got this alert:

Engine's certification is about to expire at 2023-11-19. Please
renew
the engine's certification.

So I'm trying to run:

engine-setup --offline

However, it fails with the following error:

[ INFO  ] Upgrading CA
[ INFO  ] Renewing engine certificate
[ ERROR ] Failed to execute stage 'Misc configuration': Command
'/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to

execute


Digging into the logs I can see this:

2023-11-14 08:36:22,848+ DEBUG
otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca [1] [1]
plugin.execute:926
execute-output: ('/usr/share/ovirt-engine/bin/pki-enroll-
pkcs12.sh',
'--name=engine', '--password=**FILTERED**',
'--subject=/C=US/O=stic.ull.es/CN=fqdn.es [2] [2]',

'--san=DNS:fqdn.es [3]

[3]',
'--keep-key') stderr:
Ignoring -days; not generating a certificate
/etc/pki/ovirt-engine/ca.pem is not on a local filesystem
Cannot sign request

2023-11-14 08:36:22,849+ DEBUG otopi.context
context._executeMethod:145 method exception
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/otopi/context.py", line
132,
in _executeMethod
method['method']()
File






"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",


line 753, in _miscUpgrade
self._enrollCertificates(True, uninstall_files)
File






"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",


line 360, in _enrollCertificates
shortLife=entry['shortLife'],
File






"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",


line 250, in _enrollCertificate
+ (('--days=398',) if shortLife else ())
File "/usr/lib/python3.6/site-packages/otopi/plugin.py", line
931,
in execute
command=args[0],
RuntimeError: Command
'/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to

execute

2023-11-14 08:36:22,852+ ERROR otopi.context
context._executeMethod:154 Failed to execute stage 'Misc
configuration':
Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed

to


execute

However, the file exists and is on a local filesystem:

# ll /etc/pki/ovirt-engine/ca.pem
-rw-r--r--. 1 root root 4516 jun 24  2015
/etc/pki/ovirt-engine/ca.pem


This does not prove that it's on a local filesystem - can be on

nfs,

and nfs
locking is sometimes problematic, so we prevented that. See
pki-enroll-request.sh.


Can someone shed some light about why is this failing and how to
solve
it, please?


What output do you get for:
df -l /etc/pki/ovirt-engine/ca.pem
?

Best regards,--
Didi


Links:
--
[1] http://otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca
[2] http://stic.ull.es/CN=fqdn.es
[3] http://fqdn.es

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:


https://lists.ovirt.org/archives/list/users@ovirt.org/message/YXTXJIEQRN2ZH77ZSBGW2UARPMYSPEG3/

--
Didi


Links:
--
[1] http://otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca
[2] http://stic.ull.es/CN=fqdn.es
[3] http://fqdn.es

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/6RPZKJFL5DJYXGO6O43ARR4NTU3LAK7X/

[ovirt-users] Re: /etc/pki/ovirt-engine/ca.pem is not on a local filesystem

2023-11-14 Thread Yedidyah Bar David 
Hi,

On Tue, Nov 14, 2023 at 11:31 AM  wrote:

> Hi Didi,
>
> Thanks for the reply.
>
> Finally solved it by exporting LANG=C in the shell before running the
> command.
>
> Seems that the "pki-enroll-request.sh" does this check:
>
>LOCK="${PKIDIR}/${CA_FILE}".pem
>df -l "${LOCK}" 2> /dev/null | grep -q "File" || die "${LOCK} is not
> on a local filesystem"
>
> However, if LANG is a different language than C, the output will vary
> and the grep command will return empty.
>
> It's working now. Thanks.
>

Thanks for the update! You might want to push a patch to enforce the
locale for the `df` command (e.g. 'LC_ALL=C df -l...').

There are a few such places scattered around the code, but nothing
systematic -
and I think we do want, in general, to have localized error messages, so
can't
do this "too-high" in the execution hierarchy.

Best regards,


>
> El 2023-11-14 09:12, Yedidyah Bar David escribió:
> > On Tue, Nov 14, 2023 at 10:49 AM  wrote:
> >
> >> Hi,
> >>
> >> We're running oVirt 4.5.4, recently we got this alert:
> >>
> >> Engine's certification is about to expire at 2023-11-19. Please
> >> renew
> >> the engine's certification.
> >>
> >> So I'm trying to run:
> >>
> >> engine-setup --offline
> >>
> >> However, it fails with the following error:
> >>
> >> [ INFO  ] Upgrading CA
> >> [ INFO  ] Renewing engine certificate
> >> [ ERROR ] Failed to execute stage 'Misc configuration': Command
> >> '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute
> >>
> >> Digging into the logs I can see this:
> >>
> >> 2023-11-14 08:36:22,848+ DEBUG
> >> otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca [1]
> >> plugin.execute:926
> >> execute-output: ('/usr/share/ovirt-engine/bin/pki-enroll-
> >> pkcs12.sh',
> >> '--name=engine', '--password=**FILTERED**',
> >> '--subject=/C=US/O=stic.ull.es/CN=fqdn.es [2]', '--san=DNS:fqdn.es
> >> [3]',
> >> '--keep-key') stderr:
> >> Ignoring -days; not generating a certificate
> >> /etc/pki/ovirt-engine/ca.pem is not on a local filesystem
> >> Cannot sign request
> >>
> >> 2023-11-14 08:36:22,849+ DEBUG otopi.context
> >> context._executeMethod:145 method exception
> >> Traceback (most recent call last):
> >> File "/usr/lib/python3.6/site-packages/otopi/context.py", line
> >> 132,
> >> in _executeMethod
> >> method['method']()
> >> File
> >>
> >
> "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
> >>
> >> line 753, in _miscUpgrade
> >> self._enrollCertificates(True, uninstall_files)
> >> File
> >>
> >
> "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
> >>
> >> line 360, in _enrollCertificates
> >> shortLife=entry['shortLife'],
> >> File
> >>
> >
> "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
> >>
> >> line 250, in _enrollCertificate
> >> + (('--days=398',) if shortLife else ())
> >> File "/usr/lib/python3.6/site-packages/otopi/plugin.py", line
> >> 931,
> >> in execute
> >> command=args[0],
> >> RuntimeError: Command
> >> '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute
> >> 2023-11-14 08:36:22,852+ ERROR otopi.context
> >> context._executeMethod:154 Failed to execute stage 'Misc
> >> configuration':
> >> Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to
> >>
> >> execute
> >>
> >> However, the file exists and is on a local filesystem:
> >>
> >> # ll /etc/pki/ovirt-engine/ca.pem
> >> -rw-r--r--. 1 root root 4516 jun 24  2015
> >> /etc/pki/ovirt-engine/ca.pem
> >
> > This does not prove that it's on a local filesystem - can be on nfs,
> > and nfs
> > locking is sometimes problematic, so we prevented that. See
> > pki-enroll-request.sh.
> >
> >> Can someone shed some light about why is this failing and how to
> >> solve
> >> it, please?
> >
> > What output do you get for:
> > df -l /etc/pki/ovirt-engine/ca.pem
> > ?
> >
> > Best regards,--
> > Didi
> >
> >
> > Links:
> > --
> > [1] http://otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca
> > [2] http://stic.ull.es/CN=fqdn.es
> > [3] http://fqdn.es
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/YXTXJIEQRN2ZH77ZSBGW2UARPMYSPEG3/
>


-- 
Didi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/HM24AGSKFJIHQYLMXZZG7LXIGPPJIJOU/

[ovirt-users] Re: /etc/pki/ovirt-engine/ca.pem is not on a local filesystem

2023-11-14 Thread nicolas 

Hi Didi,

Thanks for the reply.

Finally solved it by exporting LANG=C in the shell before running the 
command.


Seems that the "pki-enroll-request.sh" does this check:

  LOCK="${PKIDIR}/${CA_FILE}".pem
  df -l "${LOCK}" 2> /dev/null | grep -q "File" || die "${LOCK} is not 
on a local filesystem"


However, if LANG is a different language than C, the output will vary 
and the grep command will return empty.


It's working now. Thanks.

El 2023-11-14 09:12, Yedidyah Bar David escribió:

On Tue, Nov 14, 2023 at 10:49 AM  wrote:


Hi,

We're running oVirt 4.5.4, recently we got this alert:

Engine's certification is about to expire at 2023-11-19. Please
renew
the engine's certification.

So I'm trying to run:

engine-setup --offline

However, it fails with the following error:

[ INFO  ] Upgrading CA
[ INFO  ] Renewing engine certificate
[ ERROR ] Failed to execute stage 'Misc configuration': Command
'/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute

Digging into the logs I can see this:

2023-11-14 08:36:22,848+ DEBUG
otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca [1]
plugin.execute:926
execute-output: ('/usr/share/ovirt-engine/bin/pki-enroll-
pkcs12.sh',
'--name=engine', '--password=**FILTERED**',
'--subject=/C=US/O=stic.ull.es/CN=fqdn.es [2]', '--san=DNS:fqdn.es
[3]',
'--keep-key') stderr:
Ignoring -days; not generating a certificate
/etc/pki/ovirt-engine/ca.pem is not on a local filesystem
Cannot sign request

2023-11-14 08:36:22,849+ DEBUG otopi.context
context._executeMethod:145 method exception
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/otopi/context.py", line
132,
in _executeMethod
method['method']()
File


"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",


line 753, in _miscUpgrade
self._enrollCertificates(True, uninstall_files)
File


"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",


line 360, in _enrollCertificates
shortLife=entry['shortLife'],
File


"/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",


line 250, in _enrollCertificate
+ (('--days=398',) if shortLife else ())
File "/usr/lib/python3.6/site-packages/otopi/plugin.py", line
931,
in execute
command=args[0],
RuntimeError: Command
'/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute
2023-11-14 08:36:22,852+ ERROR otopi.context
context._executeMethod:154 Failed to execute stage 'Misc
configuration':
Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to

execute

However, the file exists and is on a local filesystem:

# ll /etc/pki/ovirt-engine/ca.pem
-rw-r--r--. 1 root root 4516 jun 24  2015
/etc/pki/ovirt-engine/ca.pem


This does not prove that it's on a local filesystem - can be on nfs,
and nfs
locking is sometimes problematic, so we prevented that. See
pki-enroll-request.sh.


Can someone shed some light about why is this failing and how to
solve
it, please?


What output do you get for:
df -l /etc/pki/ovirt-engine/ca.pem
?

Best regards,--
Didi


Links:
--
[1] http://otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca
[2] http://stic.ull.es/CN=fqdn.es
[3] http://fqdn.es

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/YXTXJIEQRN2ZH77ZSBGW2UARPMYSPEG3/

[ovirt-users] Re: /etc/pki/ovirt-engine/ca.pem is not on a local filesystem

2023-11-14 Thread Yedidyah Bar David 
On Tue, Nov 14, 2023 at 10:49 AM  wrote:

> Hi,
>
> We're running oVirt 4.5.4, recently we got this alert:
>
>Engine's certification is about to expire at 2023-11-19. Please renew
> the engine's certification.
>
> So I'm trying to run:
>
>engine-setup --offline
>
> However, it fails with the following error:
>
>[ INFO  ] Upgrading CA
>[ INFO  ] Renewing engine certificate
>[ ERROR ] Failed to execute stage 'Misc configuration': Command
> '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute
>
> Digging into the logs I can see this:
>
>2023-11-14 08:36:22,848+ DEBUG
> otopi.plugins.ovirt_engine_setup.ovirt_engine.pki.ca plugin.execute:926
> execute-output: ('/usr/share/ovirt-engine/bin/pki-enroll- pkcs12.sh',
> '--name=engine', '--password=**FILTERED**',
> '--subject=/C=US/O=stic.ull.es/CN=fqdn.es', '--san=DNS:fqdn.es',
> '--keep-key') stderr:
>Ignoring -days; not generating a certificate
>/etc/pki/ovirt-engine/ca.pem is not on a local filesystem
>Cannot sign request
>
>2023-11-14 08:36:22,849+ DEBUG otopi.context
> context._executeMethod:145 method exception
>Traceback (most recent call last):
>  File "/usr/lib/python3.6/site-packages/otopi/context.py", line 132,
> in _executeMethod
>method['method']()
>  File
> "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
>
> line 753, in _miscUpgrade
>self._enrollCertificates(True, uninstall_files)
>  File
> "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
>
> line 360, in _enrollCertificates
>shortLife=entry['shortLife'],
>  File
> "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py",
>
> line 250, in _enrollCertificate
>+ (('--days=398',) if shortLife else ())
>  File "/usr/lib/python3.6/site-packages/otopi/plugin.py", line 931,
> in execute
>command=args[0],
>RuntimeError: Command
> '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to execute
>2023-11-14 08:36:22,852+ ERROR otopi.context
> context._executeMethod:154 Failed to execute stage 'Misc configuration':
> Command '/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh' failed to
> execute
>
> However, the file exists and is on a local filesystem:
>
># ll /etc/pki/ovirt-engine/ca.pem
>-rw-r--r--. 1 root root 4516 jun 24  2015 /etc/pki/ovirt-engine/ca.pem
>

This does not prove that it's on a local filesystem - can be on nfs, and nfs
locking is sometimes problematic, so we prevented that. See
pki-enroll-request.sh.


>
> Can someone shed some light about why is this failing and how to solve
> it, please?
>

What output do you get for:
df -l /etc/pki/ovirt-engine/ca.pem
?

Best regards,
-- 
Didi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/NYQANBPVRZFUPMCHZIVTB2M4SVSKGASG/