Hi, I see some interest on how to change the host name of the machine where the engine runs (in release 3.1). This is a manual procedure that you can use to do that:
0. Make a backup copy of the /etc/pki/ovirt-engine directory. 1. Regenerate the engine certificate signing request preserving the existing private key (this is very important in order to avoid having to decrypt/encrypt passwords stored in the database): openssl req \ -new \ -subj '/C=US/O=Example Inc./CN=f17.example.com' \ -key /etc/pki/ovirt-engine/keys/engine_id_rsa \ -out /etc/pki/ovirt-engine/requests/engine.req Replace "Example Inc." with the value that you provided during the installation. If you don't forgot them they can be extracted from the current engine certificate: openssl x509 \ -in /etc/pki/ovirt-engine/certs/engine.cer \ -noout \ -subject And *VERY IMPORTANT*, replace "f17.example.com" with the new fully qualified host name. 2. Sign again the engine certificate, to simplify this the SignReq.sh script should be used: cd /etc/pki/ovirt-engine ./SignReq.sh \ engine.req \ engine.cer \ 1800 \ /etc/pki/ovirt-engine \ `date -d yesterday +%y%m%d%H%M%S+0000` \ NoSoup4U Double check that the generated certificate is correct, visually and with the following command: openssl verify \ -CAfile /etc/pki/ovirt-engine/ca.pem \ /etc/pki/ovirt-engine/certs/engine.cer 3. Generate also a DER encoded version of the certificate: openssl x509 \ -in /etc/pki/ovirt-engine/certs/engine.cer \ -out /etc/pki/ovirt-engine/certs/engine.der \ -outform der 4. Export the engine private key and certificate to a PKCS12 file: openssl pkcs12 \ -export \ -name engine \ -inkey /etc/pki/ovirt-engine/keys/engine_id_rsa \ -in /etc/pki/ovirt-engine/certs/engine.cer \ -out /etc/pki/ovirt-engine/keys/engine.p12 \ -passout pass:NoSoup4U 5. Regenerate the keystore used by the engine, importing the old CA certificate and the new engine certificate: rm -f /etc/pki/ovirt-engine/.keystore keytool \ -keystore /etc/pki/ovirt-engine/.keystore \ -import \ -alias cacert \ -storepass mypass \ -noprompt \ -file /etc/pki/ovirt-engine/ca.pem keytool \ -keystore /etc/pki/ovirt-engine/.keystore \ -importkeystore \ -srckeystore /etc/pki/ovirt-engine/keys/engine.p12 \ -srcalias engine \ -srcstoretype PKCS12 \ -srcstorepass NoSoup4U \ -srckeypass NoSoup4U \ -destalias engine \ -deststorepass mypass \ -destkeypass mypass 6. Restart the httpd and ovirt-engine services: service ovirt-engine restart service httpd restart 7. If using ovirt-node as the hypervisors then for each of then check and fix the "vdc_host_name" parameter in the "/etc/vdsm-reg/vdsm-reg.conf" file. Note that this procedure will leave a small trace: the CA certificate will still contain the URL of the old host. That is a minor invonvenience, but to solve it *all* certificates would need to be replaced. If there is interest I can prepare a procedure to do that as well. Feedback is welcome. Regards, Juan Hernandez -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
