[ovirt-users] Re: PKIX path validation failed
Did you try to drop valid certificates in /etc/pki/tls/certs and run `update-ca-trust extract ` ? (see https://fedoraproject.org/wiki/Features/SharedSystemCertificates for details) If you use an openjdk jvm, and not temurin or oracle JDK, that should be enough. > Le 10 juin 2024 à 15:47, Ali Gusainov a écrit : > > Hello experts. > > Environment: > oVirt: Software Version:4.4.10.7-1.el8 > OS: CentOS Linux release 8.5.2111 > > Symptoms: > 1. At login prompt I see this: > "PKIX path validation failed: java.security.certCertPathValidatorException: > validity check failed" > which successfully resolved by "engine-setup --offline" > 2. Now the host at 'Unassigned' status and all VMs marked with '?' symbol. > At vdsm.log I found message: > ERROR (Reactor thread) [ProtocolDetector.SSLHandshakeDispatcher] ssl > handshake: socket error, address: :::. (sslutils:272) > At engine.log I found messages: > ERROR [org.ovirt.engine.core.vdsbroker.monitoring.HostMonitoring] > (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-2) [] > Unable to RefreshCapabilities: VDSNetworkException: VDSGenericException: > VDSNetworkException: PKIX path validation failed: > java.security.cert.CertPathValidatorException: validity check failed > ... > 2024-06-10 17:54:13,576+05 ERROR > [org.ovirt.engine.core.vdsbroker.monitoring.HostMonitoring] > (EE-ManagedScheduledExecutorService-engineScheduledThreadPool-Thread-8) [] > Unable to RefreshCapabilities: VDSNetworkException: VDSGenericException: > VDSNetworkException: PKIX path validation failed: > java.security.cert.CertPathValidatorException: validity check failed > > Cause: > Certificate expired. > > Questions: > 1. How to bring host 'Online'? > 2. How to properly update SSL? > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/ERNPMYZDMRJAEWQI5VZJMX4YOK3TJWS5/ ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5HPVZKQM4JSVE4ISJSF5ZCMUFFPMET23/
[ovirt-users] Re: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
Thats a brilliant catch... noted for future use :-) It looks like you make engine-setup ignore that check, suggesting something is not right somewhere in the HE environment. But it fixes the cert problem and as there is nothing else the matter, it serves a purpose :-) ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/CAASGRYHRQCBQLZJJQBIVGLHR4MCSM6P/
[ovirt-users] Re: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
I found the link https://www.mail-archive.com/users@ovirt.org/msg71302.html "...Knowing that the remaining hosts are actually in global service, I issued: engine setup --otopi-environment=OVESETUP_CONFIG/continueSetupOnHEVM=bool: True --offline ". This recipe helped me. ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/SGUGSCORERFIB6JE5AQHJGYATMQ4SM4T/
[ovirt-users] Re: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
Hello. I just encountered this myself last night. I found the solution on red hats customer portal. It was suggested to run setup-engine once more, as it will renew the self-signed certficates. It worked for me, though I'm running on oVirt 4.5.4-1.el8. Remember to run this command on a oVirt NODE (not the engine): hosted-engine --set-maintenance --mode=global And the run the following command in you selfhosted engine: engine-setup I did not use the --offline switch. It renewed the certificates and all is good in my case. However, there is a case with your exact error on the Red Hat Customer Portal, even when you have enabled global maintenance mode. See here: https://access.redhat.com/solutions/2689961 (in case I'm not allowed to post links, I'm sorry, let me know and I will remove it). The root cause appears to be related to a check build into setup-engine to verify if the hosted-engine is up. In your case it might be showing as down, causing this error message. According to the Customer Portal this might happen when the environment was restored using engine-backup from an old HE environment. So the HE VM which exist in the current environment was the old HE VM with old UUID. It might need manual manipulation of the database to make sure tthe UUID of the new engine is installed in the database, which the results in the correct up/down state when the setup-engine check. The article seems to suggest that removing the UUID of the old engine would be sufficient to resolve the problems. The following SQL statements were supplied to verify the state of the engine in the database and might give you a clue as to what to change in the database: SELECT vm_guid, run_on_vds FROM vms WHERE vm_name ='HostedEngine'; SELECT vds_id, ha_global_maintenance FROM vds_statistics WHERE vds_id = 'vds-uuid'; I guess in your case 2 entries appear on the first statement, both the new and old HostedEngine VM. Removing the old one, would probably fix your issue. I have no idea if you did restore an eenvironment at some point, or if you are dealing with some other corruption? I hope you can sort it... let us know how it goes. ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/MJR3D7XG6MAOKBOD67YAWOEOPYHMUWYO/
[ovirt-users] Re: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
Version 4.4.10.7-1.el8 ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/VXA6L4HD7A4KS5FZBSFCDVOQRBWFGJPY/
