On Thu, Nov 4, 2021 at 6:51 PM Kapetanakis Giannis <
bil...@edu.physics.uoc.gr> wrote:
> On 27/04/2021 17:12, cape...@labri.fr wrote:
> > Hi,
> >
> > Since a few weeks, we are not able to connect to the vmconsole proxy:
> > $ ssh -t -p 2222 ovirt-vmconsole@ovirt
> > ovirt-vmconsole@ovirt: Permission denied (publickey).
This is a hackish way to generate a new certificate outside of
ovirt-engine.
1. Backup oVirt and especially /etc on engine
2. Generate a new request for the vmconsole-proxy-helper
openssl req -new -out vmconsole.req -subj /CN=MY_OVIRT_FQDN -key
/etc/pki/ovirt-engine/keys/vmconsole-proxy-helper.key.nopass
3. Use the oVirt CA to sign this request to produce a new cert:
cat > extfile.conf <<EOT# lets try to mimic the extensions that oVirt CA
creates
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:false
keyUsage = digitalSignature
extendedKeyUsage = DER:300E060C2B0601040192080D01020101
EOT
Sign the request
openssl x509 -req -CA /etc/pki/ovirt-engine/certs/ca.der -inform DER
-CAkey /etc/pki/ovirt-engine/private/ca.pem -set_serial MY_SERIAL_NO \
-extfile extfile.conf -in vmconsole.req
Then you can use this cert to override
/etc/pki/ovirt-engine/certs/vmconsole-proxy-helper.cer
Needless to say, this is extremely hackish - and I would like to know the
proper way to work this.
BTW my vmconsole SSH keys/certs also were a) expired b) wrong type ssh-rsa
so I needed to jump
through similar hoops to get proxy -> host working again.
---
Richard Chan
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/J3HWNPCWM7GS24ML7FJEJLF5TZH32N4Q/
