On Thu, Sep 3, 2020 at 4:49 PM Martin Perina <mper...@redhat.com> wrote: > > > > On Thu, Sep 3, 2020 at 2:56 PM Pierre pit <pierre.labanow...@xlim.fr> wrote: >> >> I have a communication problem between all the nodes and the manager >> following the upgrade from 4.3 to 4.4. I followed the procedure of update >> 4.3 to 4.4 everything worked correctly, according to the import export >> scripts as well as the installation setup on the new manager in 4.4, all is >> ok. Only after connection to the manager, all the nodes are in a down state, >> there is no more communication between the manager newly installed in 4.4 >> and the nodes still in production in 4.3. >> >> In the manager I have this message for all the nodes: >> ` VDSM virtdell8 command Get Host Capabilities failed: PKIX path validation >> failed: java.security.cert.CertPathValidatorException: Algorithm constraints >> check failed on signature algorithm: SHA256withRSA`
Are you sure this is the full error? Searching for it in google finds me only 2 results. Dropping "SHA256withRSA" finds about 770, which gave me a clue to search for: "Algorithm constraints check failed on signature algorithm:SHA256WithRSAEncryption" which finds 25 results. Not that many, but more than 2. > > > Hi Pierre, > > Hmm, the following error is a bit misleading, but it gives a clue to me. > Could you please check the key size of your ovirt-engine CA key? > > openssl x509 -text -noout -in /etc/pki/ovirt-engine/ca.pem | grep 'RSA > Public-Key' > > If your key size is less than 2048 bits, then you need to change crypto > policy of your CentOS 8 to LEGACY using below steps: > > 1. Execute 'update-crypto-policies --set LEGACY' > 2. Reboot the machine > > That should mitigate the issue, but I'm really curious, this should not > happen unless your engine was installed in oVirt 3.0 era and then > continuously upgraded up to 4.4, because we have switched to 2048 bits in > 2012: > > https://gerrit.ovirt.org/4389 > > Is this your case? Also: anything non-default, non-standard about your setup? Either before or after the upgrade? In particular, added yum/dnf repos (such as EPEL)? Which openjdk versions do you have installed? Best regards, > > > Regards, > Martin > >> >> And on the nodes: >> ` 2020-09-01 17:38:13,083+0200 ERROR (Reactor thread) >> [ProtocolDetector.SSLHandshakeDispatcher] ssl handshake: SSLError, address: >> ::ffff:XXX.XXX.XXX.XXX (sslutils:264) >> vdsm[4400]: ERROR ssl handshake: SSLError, address: ::ffff:XXX.XXX.XXX.XXX` >> >> After a search on the forums I found a similar error on version 4.2 only the >> solution of comment `ssl_excludes` in the `/etc/vdsm/vdsm.conf` file but >> does not apply to my problem. >> >> I unfortunately had to backtrack because it was no longer possible to >> control ovirt and use the manager for our production. the new machine with >> the manager in 4.4 is offline while a solution is found >> >> Do you know where should I look in order to solve this problem? >> >> thank you in advance >> Pierre >> _______________________________________________ >> Users mailing list -- users@ovirt.org >> To unsubscribe send an email to users-le...@ovirt.org >> Privacy Statement: https://www.ovirt.org/privacy-policy.html >> oVirt Code of Conduct: >> https://www.ovirt.org/community/about/community-guidelines/ >> List Archives: >> https://lists.ovirt.org/archives/list/users@ovirt.org/message/CE34HLTRN54HVOJNK3ZCNXH66CIYFSQS/ > > > > -- > Martin Perina > Manager, Software Engineering > Red Hat Czech s.r.o. -- Didi _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/OIBZ6BKURLAAP77XHZAWAINB2DBSB2MD/