On Thu, Jan 13, 2022 at 4:53 PM Sandro Bonazzola <sbona...@redhat.com>
wrote:
>
>
> Il giorno gio 13 gen 2022 alle ore 15:34 Konstantin Shalygin <
> k0...@k0ste.ru> ha scritto:
>
>> > It's possible to get, may be from Postgres, the host certificate date?
>> > Engine run this check sometimes, but trigger this check seems impossible
>>
>> Anybody?
>> @Sandro please help
>>
>> engine make check once per day and print to logs
>> How can we run a manual check or see info in PostgreSQL database? This is
>> required because the days until the end of the certificate's life expire,
>> waiting for the next day in order to understand the result of deploying a
>> new certificate is a strange situation
>>
>
> Maybe @Martin Perina <mper...@redhat.com> can assist?
>
> Hi,
host certificates are not saved anywhere in the engine database, you need
to go to the host itself to find out the expiration date. There are 2
options:
1. Directly on the host after connecting via SSH you can run below
# openssl x509 -text -noout -in /etc/pki/vdsm/certs/vdsmcert.pem | grep
-A2 Validity
2. Remotely using openssl you can run below
# openssl s_client -showcerts -connect <HOST FQDN>:54321 | openssl x509
-text -noout | grep -A2 Validity
ovirt-engine performs certificate checks every day (can be configured using
engine-config option CertificationValidityCheckTimeInHours) and it checks
not only hosts certificates, but also the engine certificate and the engine
CA certificate. This check produces following records in ovirt-engine audit
log:
1. If the certificate has already expired then below audit log ALERT is
created depending on the type of certificate
- *Host ${VdsName} certification has expired at ${ExpirationDate}.
Please renew the host's certification.*
- *Engine's certification has expired at ${ExpirationDate}. Please
renew the engine's certification.*
- *Engine's CA certification has expired at ${ExpirationDate}.*
2. If the certificate is going to expire in less than 7 days, then below
audit log ALERT is created depending on the type of certificate
- *Host ${VdsName} certification is about to expire at
${ExpirationDate}. Please renew the host's certification.*
- *Engine's certification is about to expire at ${ExpirationDate}.
Please renew the engine's certification.*
- *Engine's CA certification is about to expire at ${ExpirationDate}.*
3. If the certificate is going to expire in less than 30 days, then below
audit log WARNING is created depending on the type of certificate
- *Host ${VdsName} certification is about to expire at
${ExpirationDate}. Please renew the host's certification.*
- *Engine's certification is about to expire at ${ExpirationDate}.
Please renew the engine's certification.*
- *Engine's CA certification is about to expire at ${ExpirationDate}.*
Regards,
Martin
>
>>
>>
>> Thanks,
>> k
>> _______________________________________________
>> Users mailing list -- users@ovirt.org
>> To unsubscribe send an email to users-le...@ovirt.org
>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>> oVirt Code of Conduct:
>> https://www.ovirt.org/community/about/community-guidelines/
>> List Archives:
>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/3WK5CJYL3PXXCJJQKLEQCQJG5X2YA3XV/
>>
>
>
> --
>
> Sandro Bonazzola
>
> MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV
>
> Red Hat EMEA <https://www.redhat.com/>
>
> sbona...@redhat.com
> <https://www.redhat.com/>
>
> *Red Hat respects your work life balance. Therefore there is no need to
> answer this email out of your office hours.*
>
>
>
--
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/TMJVAJMH5MKUVRTSZG2BB46QKXYI6M2D/
