On Mon, Jul 25, 2016 at 11:40 AM, Piotr Kliczewski < piotr.kliczew...@gmail.com> wrote:
> I remember an issue that engine upgrade corrupted certificates and > "General SSLEngine problem" may be indication that you saw it. > I asked to open BZ for it but was unable to find it. > > @Sandro @Simone was it fixed already? > I've vague memories of something related being fixed, but without a bug number I can't tell for sure. Adding also Didi, since ssl / pki is his area and he may be aware. > > On Thu, Jul 21, 2016 at 3:18 PM, Martin Perina <mper...@redhat.com> wrote: > > Thanks a lot for you effort, I'm glad that you were able to upgrade > > successfully although we were not able to find the cause for the issue > :-( > > > > On Thu, Jul 21, 2016 at 2:30 PM, <nico...@devels.es> wrote: > >> > >> So I gave it another try and this time it worked without any issue (with > >> 4.0.1.1 version). Strange, maybe the first upgrade failure left system > in a > >> weird state? Anyhow almost everything ([1]) is working fine now. Thanks > for > >> the help! > >> > >> [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1358737 > > > > > > Adding Tomas about this one > > > >> > >> > >> El 2016-07-20 20:23, Martin Perina escribió: > >>> > >>> On Wed, Jul 20, 2016 at 6:18 PM, Nicolás <nico...@devels.es> wrote: > >>> > >>>> El 20/07/16 a las 16:45, Martin Perina escribió: > >>>> > >>>> On Wed, Jul 20, 2016 at 4:44 PM, Nicolás <nico...@devels.es> wrote: > >>>> > >>>> Hi Martin, > >>>> > >>>> Actually, up until now we had that cert configured in httpd and in > >>>> websocket proxy. Seems that now in 4.0.x it's not enough, as opening > >>>> the https://fqdn [1] complains about the cert not being imported in > >>>> the key chain. > >>>> > >>>> Yes, there's an updated procedure on using external CA in 4.0, > >>>> for details please take a look at Doc Text in > >>>> > >>>> https://bugzilla.redhat.com/show_bug.cgi?id=1336838 [2] > >>>> > >>>> So I imported it via keytool, but I don't want to use it in the > >>>> engine <-> VDSM communication. > >>>> > >>>> Hmm, so that would imply that we have some issue with existing > >>>> internal enigne CA during upgrade ... > >>>> > >>>> The strange thing is that we test upgrades a lot but so far we > >>>> haven't seen any issues which will broke > >>>> > >>>> SSL setup between engine and VDSM. You said that you had to > >>>> downgrade back to 3.6.7 (so unfortunately for us we cannot > >>>> investigate your nonworking setup more), but how did you do that? > >>>> > >>>> Removing all engine packages and configuration, installing back > >>>> 3.6.7 packaging and restoring configuration form backup? > >>>> > >>>> I'm asking to know what changed in your setup between not working > >>>> 4.0 and working 3.6.7 ... > >>> > >>> > >>> Indeed, those are the steps I followed to the point. > >>> > >>> To add more strangeness, previously to upgrading this oVirt > >>> infrastructure, we upgraded another one that we have (also using own > >>> cert, a different one but from the same CA) and everything went > >>> smoothly. And what's more, previously to upgrading the engine that > >>> failed, I created a copy of that engine machine in a sandbox > >>> environment to see if upgrade process would or not success, and it > >>> worked perfectly. > >>> > >>> The only difference between the sandbox and the real machine's > >>> process was that when upgrading the real one, the first time I run > >>> "engine-setup" it failed because 'systemd' reported PostgreSQL as it > >>> was not running (actually it was, thougg), so everything rolled back. > >>> I had to kill the PostgreSQL process, start it again with systemctl > >>> and then run "engine-setup", where the process completed successfully > >>> but the SSL issue appeared. Not sure if this rollback could have > >>> shattered the whole thing... > >>> > >>> Anyhow, tomorrow I'm going to create another copy of the engine > >>> machine to a sandbox environment and try again. If it works I'll cross > >>> my fingers and give another try on the real machine... > >>> > >>> Thanks! > >>> > >>> Thanks a lot for you effort. I will try to perform same upgrade > >>> tomorrow in my test env. > >>> > >>> > >>>> Thanks > >>>> > >>>> Martin > >>>> > >>>> Thanks! > >>>> En 20/7/2016 2:48 p. m., Martin Perina <mper...@redhat.com> > >>>> escribió: > >>>> > >>>> Hi, > >>>> > >>>> sorry for late response, I overlook your reply :-( > >>>> > >>>> I looked at your logs and it seems to me that there's SSL > >>>> error when engine tries to contact VDSM. > >>>> > >>>> You have mentioned that your are using your own custom CA. Are > >>>> you using it only for HTTPS certificate or do you want to use it > >>>> also for Engine <-> VDSM communication? > >>>> > >>>> > >>>> Martin Perina > >>>> > >>>> > >>>> > >>>> On Wed, Jul 20, 2016 at 9:18 AM, <nico...@devels.es> wrote: > >>>> Any hints about this? > >>>> > >>>> El 2016-07-13 11:13, nico...@devels.es escribió: > >>>> Hi, > >>>> > >>>> Unfortunately, upgrading to 4.0.1RC didn't solve the problem. > >>>> Actually, the error changed to 'General SSLEngine problem', but the > >>>> result was the same, like this: > >>>> > >>>> 2016-07-13 09:52:22,010 INFO > >>>> [org.ovirt.vdsm.jsonrpc.client.reactors.ReactorClient] (SSL Stomp > >>>> Reactor) [] Connecting to /10.X.X.X > >>>> 2016-07-13 09:52:22,018 ERROR > >>>> [org.ovirt.vdsm.jsonrpc.client.reactors.Reactor] (SSL Stomp > >>>> Reactor) > >>>> [] Unable to process messages: General SSLEngine problem > >>>> > >>>> It's worth mentioning that we're using our own SSL certificates > >>>> (not > >>>> self-signed), and I imported the combined certificate into the > >>>> /etc/pki/ovirt-engine/.truststore key file. Not sure if related, > >>>> but > >>>> just in case. > >>> > >>> > >>>> I had to downgrade to 3.6.7. I'm attaching requested logs, if you > >>>> need > >>>> anything else don't hesitate to ask. > >>>> > >>>> Regards. > >>>> > >>>> El 2016-07-13 09:45, Martin Perina escribió: > >>>> Hi, > >>>> > >>>> could you please share also vdsm.log from your hosts and also > >>>> server.log and setup logs from /var/log/ovirt-engine/setup > >>>> directory? > >>>> > >>>> Thanks > >>>> > >>>> Martin Perina > >>>> > >>>> On Wed, Jul 13, 2016 at 10:36 AM, <nico...@devels.es> wrote: > >>>> > >>>> Hi, > >>>> > >>>> We upgraded from 3.6.6 to 4.0.0 and we have a big issue since the > >>>> engine cannot connect to hosts. In the logs all we see is this > >>>> error: > >>>> > >>>> ERROR [org.ovirt.vdsm.jsonrpc.client.reactors.Reactor] (SSL > >>>> Stomp Reactor) [] Unable to process messages > >>>> > >>>> I'm attaching full logs. > >>>> > >>>> Could someone help please? > >>>> > >>>> Thanks. > >>>> _______________________________________________ > >>>> Users mailing list > >>>> Users@ovirt.org > >>>> http://lists.ovirt.org/mailman/listinfo/users [3] [1] > >>>> > >>>> Links: > >>>> ------ > >>>> [1] http://lists.ovirt.org/mailman/listinfo/users [3] > >>> > >>> > >>> _______________________________________________ > >>> Users mailing list > >>> Users@ovirt.org > >>> http://lists.ovirt.org/mailman/listinfo/users [3] > >>> > >>> > >>> > >>> Links: > >>> ------ > >>> [1] https://fqdn > >>> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1336838 > >>> [3] http://lists.ovirt.org/mailman/listinfo/users > > > > > > > > _______________________________________________ > > Users mailing list > > Users@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users > > > -- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users