On Mon, Nov 23, 2020 at 9:35 AM Dominik Holler <dhol...@redhat.com> wrote:
>
>
> On Fri, Nov 20, 2020 at 12:38 PM Alex K <rightkickt...@gmail.com> wrote:
>
>> Following the above, I was seeing that OVN provider connectivity test was
>> failing due to some certificate issue and had to do the following to fix
>> it:
>>
>> names="ovirt-provider-ovn"
>>
>> subject="$(\
>> openssl x509 \
>> -in /etc/pki/ovirt-engine/certs/apache.cer \
>> -noout \
>> -subject | \
>> sed \
>> 's;subject= \(.*\);\1;'
>> )"
>>
>> . /usr/share/ovirt-engine/bin/engine-prolog.sh
>>
>> for name in $names; do
>> /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh \
>> --name="${name}" \
>> --password=mypass \
>> --subject="${subject}" \
>> --keep-key \
>> --san=DNS:"${ENGINE_FQDN}"
>> done
>>
>> Having fixed the above, when trying to connect two VMs on some OVN
>> logical switches it seems they are not able to reach each other.
>> I had previously added such logical switched at engine by running:
>>
>> ovn-nbctl ls-add ovn-net0
>> ovn-nbctl ls-add ovn-net1
>> etc
>>
>>
> Not related: Please use ovirt-provider-ovn to create and manage ovn
> entities.
>
>
>> Checking the logs at the host /var/log/openvswitch/ovsdb-server.log I
>> see:
>> reconnect|WARN|unix#45: connection dropped (Connection reset by peer)
>>
>>
> /var/log/openvswitch/ovn-controller.log might contain the reason.
>
>
>> Also systemctl status ovirt-provider-ovn.service at engine shows:
>> /usr/lib/python2.7/site-packages/urllib3/connection.py:344:
>> SubjectAltNameWarning:...
>>
>>
> Looks not good, do tou know which connection this warning referes to?
>
>
>> I have restarted at engine both engine and ovn services:
>> systemctl restart ovirt-engine
>> systemctl status ovirt-provider-ovn.service
>>
>> I have also restarted the relevant service at each host:
>> systemctl restart ovn-controller.service
>>
>> When running at host the following it stucks and does not give any output:
>> ovn-sbctl show
>>
>>
> This is expected, the ovn southbound and northbound db exists only on the
> ovn-central, which is places on the same machine as oVirt Engine.
> Only the ovn-controller, which controls openvswitch, and openvswitch,
> which is implementing the data plane, is placed on the ovn-chassis / oVirt
> host.
>
>
>> I see that the certificate is imported at key-store as it has the same
>> fingerprint with the previous root CA:
>>
>> keytool -list -alias ovirt-provider-ovn -keystore
>> /var/lib/ovirt-engine/external_truststore
>>
>>
> This is only relevant for the connection from oVirt Engine to
> ovirt-provider-ovn.
>
>
>> At this same cluster, I had previously changed the domain name of each
>> host and engine using the rename tool.
>> And now replaced the certificates as per previous described so as to fix
>> the imageio cert issue and ovn issue.
>>
>> It seems that OVN is not happy with the status of certificates.
>> When testing connection at engine GUI i get a prompt to trust the cert,
>> and when pressing ok i get a green confirmation of successful connection.
>>
>>
> This is only relevant for the connection from oVirt Engine to
> ovirt-provider-ovn. The prompt to trust the certificate might be redundant.
> If you get the green confirmation, oVirt Engine is happy and the
> certificate of the REST API of ovirt-provider-ovn is fine.
>
>
>> Is there anything else that can be done to fix OVN functionality?
>>
>
> Please try to understand what is wrong in the connection between
> ovn-controller and ovn south bound db.
> /var/log/openvswitch/ovn-controller.log should be helpful and might
> contain the reason.
>
Will run the steps again to see. Do you think I need to take additional
steps when fixing the OVN certs issue due to domain change that this
cluster has undergone?
>
>
>
>> Thanx
>> Alex
>>
>>
>>
>>
>>
>> On Thu, Nov 19, 2020 at 9:00 AM Alex K <rightkickt...@gmail.com> wrote:
>>
>>> Seems that all services (imageio, ovn, web socket) are fine after
>>> following the above and importing the new self signed CA certificate.
>>> DId run also engine-setup as I was trying to fix the imageio cert issue,
>>> though seems that that was only fixed after importing the CA cert at
>>> browser and engine-setup might not be needed.
>>>
>>> On Wed, Nov 18, 2020 at 3:07 PM Alex K <rightkickt...@gmail.com> wrote:
>>>
>>>> Seems I had a typo at
>>>> /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf.
>>>> I will repeat the test to verify that all services are functional
>>>> following this process.
>>>>
>>>> On Wed, Nov 18, 2020 at 10:24 AM Alex K <rightkickt...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I am trying to replace the ovirt certificate at ovirt 4.3 following
>>>>> this:
>>>>>
>>>>>
>>>>> https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.3/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl
>>>>>
>>>>> I am doing the following:
>>>>> I have engine FQDN: manager.lab.local
>>>>>
>>>>> 1. Create root CA private key:
>>>>> openssl genrsa -des3 -out root.key 2048
>>>>>
>>>>> 2. Generate root certificate: (enter passphrase of root key)
>>>>> openssl req -x509 -new -nodes -key root.key -sha256 -days 3650 -out
>>>>> root.pem
>>>>> cp root.pem /tmp
>>>>>
>>>>> 3. Create key and CSR for engine:
>>>>> openssl genrsa -out manager.lab.local.key 2048
>>>>> openssl req -new -out manager.lab.local.csr -key manager.lab.local.key
>>>>>
>>>>> 4. Generate a certificate for engine and sign with the root CA key:
>>>>>
>>>>> openssl x509 -req -in manager.lab.local.csr \
>>>>> -CA root.pem \
>>>>> -CAkey root.key \
>>>>> -CAcreateserial \
>>>>> -out manager.lab.local.crt \
>>>>> -days 3650 \
>>>>> -sha256 \
>>>>> -extensions v3_req
>>>>>
>>>>> 5. Verify the trust chain and check the certificate details:
>>>>> openssl verify -CAfile root.pem manager.lab.local.crt
>>>>> openssl x509 -text -noout -in manager.lab.local.crt | head -15
>>>>>
>>>>> 6. Generate a P12 container: (with empty password)
>>>>> openssl pkcs12 -export -out /tmp/apache.p12 \
>>>>> -inkey manager.lab.local.key \
>>>>> -in manager.lab.local.crt
>>>>>
>>>>> 8. Export key and cert:
>>>>> openssl pkcs12 -in apache.p12 -nocerts -nodes > /tmp/apache.key
>>>>> openssl pkcs12 -in apache.p12 -nokeys > /tmp/apache.cer
>>>>>
>>>>> From the above steps we should have the following:
>>>>>
>>>>> /tmp/root.pem
>>>>> /tmp/apache.p12
>>>>> /tmp/apache.key
>>>>> /tmp/apache.cer
>>>>>
>>>>> 9. Place the certificates:
>>>>> hosted-engine --set-maintenance --mode=global
>>>>> cp -p /etc/pki/ovirt-engine/keys/apache.p12 /tmp/apache.p12.bck
>>>>> cp /tmp/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12
>>>>> cp /tmp/root.pem /etc/pki/ca-trust/source/anchors
>>>>> update-ca-trust
>>>>> rm /etc/pki/ovirt-engine/apache-ca.pem
>>>>> cp /tmp/root.pem /etc/pki/ovirt-engine/apache-ca.pem
>>>>>
>>>>> Backup existing key and cert:
>>>>> cp /etc/pki/ovirt-engine/keys/apache.key.nopass
>>>>> /etc/pki/ovirt-engine/keys/apache.key.nopass.bck
>>>>> cp /etc/pki/ovirt-engine/certs/apache.cer
>>>>> /etc/pki/ovirt-engine/certs/apache.cer.bck
>>>>> cp /tmp/apache.key /etc/pki/ovirt-engine/keys/apache.key.nopass
>>>>> cp /tmp/apache.cer /etc/pki/ovirt-engine/certs/apache.cer
>>>>> chown root:ovirt /etc/pki/ovirt-engine/keys/apache.key.nopass
>>>>> chmod 640 /etc/pki/ovirt-engine/keys/apache.key.nopass
>>>>> systemctl restart httpd.service
>>>>>
>>>>> 10. Create a new trust store configuration file:
>>>>> vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
>>>>>
>>>>> ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
>>>>> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
>>>>>
>>>>> 11. Edit /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf :
>>>>> vi /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>>>>>
>>>>> SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
>>>>> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>>>>
>>>>> 12. Edit /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf:
>>>>> vi /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf
>>>>>
>>>>> # Key file for SSL connections
>>>>> ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
>>>>> # Certificate file for SSL connections
>>>>> ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer
>>>>>
>>>>> 13. Import the certificate at system-wide java trust store
>>>>>
>>>>> update-ca-trust extract
>>>>> keytool -list -alias ovirt -keystore /etc/pki/java/cacerts
>>>>>
>>>>> 14. Restart services:
>>>>> systemctl restart httpd.service
>>>>> systemctl restart ovirt-provider-ovn.service
>>>>> systemctl restart ovirt-imageio-proxy
>>>>> systemctl restart ovirt-websocket-proxy
>>>>> systemctl restart ovirt-engine.service
>>>>>
>>>>> Following the above I get at engine GUI:
>>>>>
>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>> valid certification path to requested target
>>>>>
>>>>> I have tried also to run engine-setup in case it could fix anything
>>>>> (it renewed the cert due to missing subjectAltName), and the above error
>>>>> still persists.
>>>>> I have tried several other suggestions from similar issues reported at
>>>>> this list without any luck.
>>>>> I have run out of ideas. Am I missing anything?
>>>>> Thanx for any suggestions.
>>>>> Alex
>>>>>
>>>> _______________________________________________
>> Users mailing list -- users@ovirt.org
>> To unsubscribe send an email to users-le...@ovirt.org
>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>> oVirt Code of Conduct:
>> https://www.ovirt.org/community/about/community-guidelines/
>> List Archives:
>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/PKKBI7Y2RZBEOAEGVVTOLGLBFKFLGUM6/
>>
>
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/UXTUUN7IHIWAKASDWARWUGHUPVHTXYI4/
