On Fri, Nov 20, 2020 at 1:37 PM Alex K <rightkickt...@gmail.com> wrote:
> Following the above, I was seeing that OVN provider connectivity test was > failing due to some certificate issue and had to do the following to fix > it: > Is this on the same systems of "[ovirt-users] Fix corrupt self-hosted engine", or unrelated? > > names="ovirt-provider-ovn" > > subject="$(\ > openssl x509 \ > -in /etc/pki/ovirt-engine/certs/apache.cer \ > -noout \ > -subject | \ > sed \ > 's;subject= \(.*\);\1;' > )" > > . /usr/share/ovirt-engine/bin/engine-prolog.sh > > for name in $names; do > /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh \ > --name="${name}" \ > --password=mypass \ > --subject="${subject}" \ > --keep-key \ > --san=DNS:"${ENGINE_FQDN}" > done > > Having fixed the above, when trying to connect two VMs on some OVN logical > switches it seems they are not able to reach each other. > I had previously added such logical switched at engine by running: > > ovn-nbctl ls-add ovn-net0 > ovn-nbctl ls-add ovn-net1 > etc > > Checking the logs at the host /var/log/openvswitch/ovsdb-server.log I see: > reconnect|WARN|unix#45: connection dropped (Connection reset by peer) > > Also systemctl status ovirt-provider-ovn.service at engine shows: > /usr/lib/python2.7/site-packages/urllib3/connection.py:344: > SubjectAltNameWarning:... > > I have restarted at engine both engine and ovn services: > systemctl restart ovirt-engine > systemctl status ovirt-provider-ovn.service > > I have also restarted the relevant service at each host: > systemctl restart ovn-controller.service > > When running at host the following it stucks and does not give any output: > ovn-sbctl show > > I see that the certificate is imported at key-store as it has the same > fingerprint with the previous root CA: > > keytool -list -alias ovirt-provider-ovn -keystore > /var/lib/ovirt-engine/external_truststore > > At this same cluster, I had previously changed the domain name of each > host and engine using the rename tool. > After that, did ovn still work well? > And now replaced the certificates as per previous described so as to fix > the imageio cert issue and ovn issue. > > It seems that OVN is not happy with the status of certificates. > When testing connection at engine GUI i get a prompt to trust the cert, > and when pressing ok i get a green confirmation of successful connection. > > Is there anything else that can be done to fix OVN functionality? > No idea, adding Dominik. Best regards, > Thanx > Alex > > > > > > On Thu, Nov 19, 2020 at 9:00 AM Alex K <rightkickt...@gmail.com> wrote: > >> Seems that all services (imageio, ovn, web socket) are fine after >> following the above and importing the new self signed CA certificate. >> DId run also engine-setup as I was trying to fix the imageio cert issue, >> though seems that that was only fixed after importing the CA cert at >> browser and engine-setup might not be needed. >> >> On Wed, Nov 18, 2020 at 3:07 PM Alex K <rightkickt...@gmail.com> wrote: >> >>> Seems I had a typo at >>> /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf. >>> I will repeat the test to verify that all services are functional >>> following this process. >>> >>> On Wed, Nov 18, 2020 at 10:24 AM Alex K <rightkickt...@gmail.com> wrote: >>> >>>> Hi all, >>>> >>>> I am trying to replace the ovirt certificate at ovirt 4.3 following >>>> this: >>>> >>>> >>>> https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.3/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl >>>> >>>> I am doing the following: >>>> I have engine FQDN: manager.lab.local >>>> >>>> 1. Create root CA private key: >>>> openssl genrsa -des3 -out root.key 2048 >>>> >>>> 2. Generate root certificate: (enter passphrase of root key) >>>> openssl req -x509 -new -nodes -key root.key -sha256 -days 3650 -out >>>> root.pem >>>> cp root.pem /tmp >>>> >>>> 3. Create key and CSR for engine: >>>> openssl genrsa -out manager.lab.local.key 2048 >>>> openssl req -new -out manager.lab.local.csr -key manager.lab.local.key >>>> >>>> 4. Generate a certificate for engine and sign with the root CA key: >>>> >>>> openssl x509 -req -in manager.lab.local.csr \ >>>> -CA root.pem \ >>>> -CAkey root.key \ >>>> -CAcreateserial \ >>>> -out manager.lab.local.crt \ >>>> -days 3650 \ >>>> -sha256 \ >>>> -extensions v3_req >>>> >>>> 5. Verify the trust chain and check the certificate details: >>>> openssl verify -CAfile root.pem manager.lab.local.crt >>>> openssl x509 -text -noout -in manager.lab.local.crt | head -15 >>>> >>>> 6. Generate a P12 container: (with empty password) >>>> openssl pkcs12 -export -out /tmp/apache.p12 \ >>>> -inkey manager.lab.local.key \ >>>> -in manager.lab.local.crt >>>> >>>> 8. Export key and cert: >>>> openssl pkcs12 -in apache.p12 -nocerts -nodes > /tmp/apache.key >>>> openssl pkcs12 -in apache.p12 -nokeys > /tmp/apache.cer >>>> >>>> From the above steps we should have the following: >>>> >>>> /tmp/root.pem >>>> /tmp/apache.p12 >>>> /tmp/apache.key >>>> /tmp/apache.cer >>>> >>>> 9. Place the certificates: >>>> hosted-engine --set-maintenance --mode=global >>>> cp -p /etc/pki/ovirt-engine/keys/apache.p12 /tmp/apache.p12.bck >>>> cp /tmp/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12 >>>> cp /tmp/root.pem /etc/pki/ca-trust/source/anchors >>>> update-ca-trust >>>> rm /etc/pki/ovirt-engine/apache-ca.pem >>>> cp /tmp/root.pem /etc/pki/ovirt-engine/apache-ca.pem >>>> >>>> Backup existing key and cert: >>>> cp /etc/pki/ovirt-engine/keys/apache.key.nopass >>>> /etc/pki/ovirt-engine/keys/apache.key.nopass.bck >>>> cp /etc/pki/ovirt-engine/certs/apache.cer >>>> /etc/pki/ovirt-engine/certs/apache.cer.bck >>>> cp /tmp/apache.key /etc/pki/ovirt-engine/keys/apache.key.nopass >>>> cp /tmp/apache.cer /etc/pki/ovirt-engine/certs/apache.cer >>>> chown root:ovirt /etc/pki/ovirt-engine/keys/apache.key.nopass >>>> chmod 640 /etc/pki/ovirt-engine/keys/apache.key.nopass >>>> systemctl restart httpd.service >>>> >>>> 10. Create a new trust store configuration file: >>>> vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf >>>> >>>> ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" >>>> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" >>>> >>>> 11. Edit /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf : >>>> vi /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf >>>> >>>> SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer >>>> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass >>>> >>>> 12. Edit /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf: >>>> vi /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf >>>> >>>> # Key file for SSL connections >>>> ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass >>>> # Certificate file for SSL connections >>>> ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer >>>> >>>> 13. Import the certificate at system-wide java trust store >>>> >>>> update-ca-trust extract >>>> keytool -list -alias ovirt -keystore /etc/pki/java/cacerts >>>> >>>> 14. Restart services: >>>> systemctl restart httpd.service >>>> systemctl restart ovirt-provider-ovn.service >>>> systemctl restart ovirt-imageio-proxy >>>> systemctl restart ovirt-websocket-proxy >>>> systemctl restart ovirt-engine.service >>>> >>>> Following the above I get at engine GUI: >>>> >>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>>> valid certification path to requested target >>>> >>>> I have tried also to run engine-setup in case it could fix anything (it >>>> renewed the cert due to missing subjectAltName), and the above error still >>>> persists. >>>> I have tried several other suggestions from similar issues reported at >>>> this list without any luck. >>>> I have run out of ideas. Am I missing anything? >>>> Thanx for any suggestions. >>>> Alex >>>> >>> _______________________________________________ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/PKKBI7Y2RZBEOAEGVVTOLGLBFKFLGUM6/ > -- Didi
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/YNPVB7GOE6EEH5QBKH6ZIBEGAMLV3DXU/