[ovirt-users] Re: Engine and host certificates expired
Thanks Didi, All certificates updated and oVirt environment 100% healthy. Regards Simon... ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/HDIR3KMPUBY2ALTEGIRMQOMJTITCLNWR/
[ovirt-users] Re: Engine and host certificates expired
On Wed, Sep 7, 2022 at 11:58 AM wrote: > > Many thanks Didi, > > I presume the above command can be used with the --offline option > > 'engine-setup --offline > --otopi-environment=OVESETUP_CONFIG/continueSetupOnHEVM=bool:True' Should be, yes. Best regards, -- Didi ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5UFIUXGL7YTBJ4GSWFITFBS4SG3TOLCX/
[ovirt-users] Re: Engine and host certificates expired
Many thanks Didi, I presume the above command can be used with the --offline option 'engine-setup --offline --otopi-environment=OVESETUP_CONFIG/continueSetupOnHEVM=bool:True' Kind regards Simon... ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/D3FLVOQE24HDPIE4RIWXHDLRHR5OBKLC/
[ovirt-users] Re: Engine and host certificates expired
Also: Considering that many people now have oVirt setups that are old enough to start having expired certs, and also the changes done in recent years around certs longevity, it would be nice if we have a doc page on the web site about how to handle this situation, as we see more such cases on the list. Any volunteers to start such a page? Or at least create a github issue with the details you currently know? Even such an open github issue is often easier to find and use (and link) than searching the mailing list. Best regards, On Wed, Sep 7, 2022 at 10:33 AM Yedidyah Bar David wrote: > > On Wed, Sep 7, 2022 at 12:37 AM wrote: > > > > I tried your 'Try restore old certificates and simply run again > > engine-setup' but the validation fails with: > > - > > [ ERROR ] It seems that you are running your engine inside of the > > hosted-engine VM and are not in "Global Maint > > enance" mode. > > In that case you should put the system into the "Global > > Maintenance" mode before running engine-setup, > > or the hosted-engine HA > > agent might kill the machine, which might corrupt your data. > > > > [ ERROR ] Failed to execute stage 'Setup validation': Hosted Engine setup > > detected, but Global Maintenance is n > > ot set. > > - > > even though I have placed it into Global Maintenance mode. > > > > The problem is that all 3 hosts are currently 'Non Responsive' > > > > FYI - In another environment where the vdsm certificates had expired on one > > of 2 clusters, copying the certs from a host in the other cluster allowed > > the hosts to become responsive so I could 'Enroll certificates'. > > I guess that the engine failed to notice the move to global > maintenance, due to the expired certs. > > If you are certain that indeed all hosts see that they are in global > maintenance - check with 'hosted-engine --vm-status' - you can update > the engine DB directly, e.g. with something like: > > https://lists.ovirt.org/archives/list/users@ovirt.org/thread/7KAHVACMATMWQZYFZLVHXEN57JPB3UWE/ > > /usr/share/ovirt-engine/dbscripts/engine-psql.sh -c 'update > vds_statistics set ha_global_maintenance=f' > > If all you want is to enforce engine-setup to skip this check, you can > try instead: > > engine-setup --otopi-environment=OVESETUP_CONFIG/continueSetupOnHEVM=bool:True > > Good luck and best regards, > -- > Didi -- Didi ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/FKPSEDBWQ4M3OA7FNQTFMBPXIEHATTCH/
[ovirt-users] Re: Engine and host certificates expired
On Wed, Sep 7, 2022 at 12:37 AM wrote: > > I tried your 'Try restore old certificates and simply run again engine-setup' > but the validation fails with: > - > [ ERROR ] It seems that you are running your engine inside of the > hosted-engine VM and are not in "Global Maint > enance" mode. > In that case you should put the system into the "Global Maintenance" > mode before running engine-setup, > or the hosted-engine HA agent might kill > the machine, which might corrupt your data. > > [ ERROR ] Failed to execute stage 'Setup validation': Hosted Engine setup > detected, but Global Maintenance is n > ot set. > - > even though I have placed it into Global Maintenance mode. > > The problem is that all 3 hosts are currently 'Non Responsive' > > FYI - In another environment where the vdsm certificates had expired on one > of 2 clusters, copying the certs from a host in the other cluster allowed the > hosts to become responsive so I could 'Enroll certificates'. I guess that the engine failed to notice the move to global maintenance, due to the expired certs. If you are certain that indeed all hosts see that they are in global maintenance - check with 'hosted-engine --vm-status' - you can update the engine DB directly, e.g. with something like: https://lists.ovirt.org/archives/list/users@ovirt.org/thread/7KAHVACMATMWQZYFZLVHXEN57JPB3UWE/ /usr/share/ovirt-engine/dbscripts/engine-psql.sh -c 'update vds_statistics set ha_global_maintenance=f' If all you want is to enforce engine-setup to skip this check, you can try instead: engine-setup --otopi-environment=OVESETUP_CONFIG/continueSetupOnHEVM=bool:True Good luck and best regards, -- Didi ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZHW555AFXKD3PS53G4ZCYCNYUQJXI6RQ/
[ovirt-users] Re: Engine and host certificates expired
Hi, OK, I see you running hosted engine. I have slightly different setup, engine runs on dedicated VM outside oVirt. > On 7 Sep 2022, at 00:36, si...@justconnect.ie wrote: > > I tried your 'Try restore old certificates and simply run again engine-setup' > but the validation fails with: > - > [ ERROR ] It seems that you are running your engine inside of the > hosted-engine VM and are not in "Global Maint > enance" mode. > In that case you should put the system into the "Global Maintenance" > mode before running engine-setup, > or the hosted-engine HA agent might kill > the machine, which might corrupt your data. > > [ ERROR ] Failed to execute stage 'Setup validation': Hosted Engine setup > detected, but Global Maintenance is n > ot set. > - > even though I have placed it into Global Maintenance mode. > > The problem is that all 3 hosts are currently 'Non Responsive' > > FYI - In another environment where the vdsm certificates had expired on one > of 2 clusters, copying the certs from a host in the other cluster allowed the > hosts to become responsive so I could 'Enroll certificates'. > > Shimme > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/6DEEYA6DPKGLJAAR5W2QVBJJ3CARYFT2/ ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/N64OQSLPI37XOC27L5POYL2X374SBDCY/
[ovirt-users] Re: Engine and host certificates expired
I tried your 'Try restore old certificates and simply run again engine-setup' but the validation fails with: - [ ERROR ] It seems that you are running your engine inside of the hosted-engine VM and are not in "Global Maint enance" mode. In that case you should put the system into the "Global Maintenance" mode before running engine-setup, or the hosted-engine HA agent might kill the machine, which might corrupt your data. [ ERROR ] Failed to execute stage 'Setup validation': Hosted Engine setup detected, but Global Maintenance is n ot set. - even though I have placed it into Global Maintenance mode. The problem is that all 3 hosts are currently 'Non Responsive' FYI - In another environment where the vdsm certificates had expired on one of 2 clusters, copying the certs from a host in the other cluster allowed the hosts to become responsive so I could 'Enroll certificates'. Shimme ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/6DEEYA6DPKGLJAAR5W2QVBJJ3CARYFT2/
[ovirt-users] Re: Engine and host certificates expired
I made a backup of the /etc/pki/ directory and subfolders prior to overwriting the certs. Copying an indate cert was the only way I couldget the engine started. Is there a commandline procedure to do the same task as 'Enroll Certificates' via the WebUI? Shimme ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/Z335FXA6JU54M6PO6QFHOPJ6GLPSHWUD/
[ovirt-users] Re: Engine and host certificates expired
Hi, I hope you have not erased old certificates which you must restore back. You can't copy certificates from one host to another, it will not work. Try restore old certificates and simply run again engine-setup. On 9/6/22 23:06, si...@justconnect.ie wrote: I have an environment where the engine wouldn’t start and the certificate expiry dates were as follows. Host1 - 25th Sep 2022 Host2 - 11th Aug 2022 Host3 - 11th Aug 2022 I copied the vdsm certs from Host1 to Host2 & Host3 Engine then started on Host1 and then backed up. Engine cert expiry 11th Aug 2022 I put the cluster into Global Maintenance mode and then tried: ‘engine-setup —offline’ Which failed as the validation check said the engine wasn’t in Global Maintenance mode even though ‘hosted-engine —vm-status said it was. None of the Hosts are ‘GREEN’ (can’t remember what the status was as I’m writing this from memory) but their status is ’RED’. There are VMs running on the 3 Hosts and I’m reluctant to restart anything at the moment. Is there a way to refresh the engine certificate to get past this or do I need to restart vdsm service on each host to bring them back online as far as the engine is concerned? The environment is currently at 4.4.6 and is to be upgraded to 4.5.2 next month. Any help as always will be greatly appreciated. Kind regards Simon ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/SKGWY5ZIBAG5GTWHIPDUO5O64PUZN7Y2/ ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/QWN46ZLHPNUP3FEZ2MKFFC62VDFPDJJA/