On Thu, Nov 4, 2021 at 6:51 PM Kapetanakis Giannis < bil...@edu.physics.uoc.gr> wrote:
> On 27/04/2021 17:12, cape...@labri.fr wrote: > > Hi, > > > > Since a few weeks, we are not able to connect to the vmconsole proxy: > > $ ssh -t -p 2222 ovirt-vmconsole@ovirt > > ovirt-vmconsole@ovirt: Permission denied (publickey). This is a hackish way to generate a new certificate outside of ovirt-engine. 1. Backup oVirt and especially /etc on engine 2. Generate a new request for the vmconsole-proxy-helper openssl req -new -out vmconsole.req -subj /CN=MY_OVIRT_FQDN -key /etc/pki/ovirt-engine/keys/vmconsole-proxy-helper.key.nopass 3. Use the oVirt CA to sign this request to produce a new cert: cat > extfile.conf <<EOT# lets try to mimic the extensions that oVirt CA creates subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = CA:false keyUsage = digitalSignature extendedKeyUsage = DER:300E060C2B0601040192080D01020101 EOT Sign the request openssl x509 -req -CA /etc/pki/ovirt-engine/certs/ca.der -inform DER -CAkey /etc/pki/ovirt-engine/private/ca.pem -set_serial MY_SERIAL_NO \ -extfile extfile.conf -in vmconsole.req Then you can use this cert to override /etc/pki/ovirt-engine/certs/vmconsole-proxy-helper.cer Needless to say, this is extremely hackish - and I would like to know the proper way to work this. BTW my vmconsole SSH keys/certs also were a) expired b) wrong type ssh-rsa so I needed to jump through similar hoops to get proxy -> host working again. --- Richard Chan
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/J3HWNPCWM7GS24ML7FJEJLF5TZH32N4Q/