Hi,
Le 17/06/2022 à 12:18, Marko Vrgotic a écrit :
Dear Nathanael,
Thank you very much for you reply. Regarding host expiration playbook
you wrote – my compliments – is it safe to run on host with expired
certificates, or its rather meant to be executed for renewal of certs
on hosts with still valid certs?
both are okay, in case of a host in "up" status, it will go down during
the playbook execution, but vms will continue to run without any
downtime. Host will recover and go up once certificates will be
successfully renewed.
This is an emergency procedure, the best solution to renew a certificate
on a running host is to put the host into maintenance and renew certs
via UI.
We have also found following script which should at least safely take
care of the renewal of certs on host with already expired certificates
- .
https://github.com/tothf/renew_vdsm_cert/blob/main/renew_vdsm_cert.sh
-----
kind regards/met vriendelijke groeten
Marko Vrgotic
Sr. System Engineer @ System Administration
ActiveVideo
*o: *+31 (35) 6774131
*m: +*31 (65) 5734174**
*e:*m.vrgo...@activevideo.com <mailto:m.vrgo...@activevideo.com>
*w: *www.activevideo.com <http://www.activevideo.com>
ActiveVideo Networks BV. Mediacentrum 3745 Joop van den Endeplein
1.1217 WJ Hilversum, The Netherlands. The information contained in
this message may be legally privileged and confidential. It is
intended to be read only by the individual or entity to whom it is
addressed or by their designee. If the reader of this message is not
the intended recipient, you are on notice that any distribution of
this message, in any form, is strictly prohibited. If you have
received this message in error, please immediately notify the sender
and/or ActiveVideo Networks, LLC by telephone at +1 408.931.9200 and
delete or destroy any copy of this message.
*From: *Nathanaël Blanchet <blanc...@abes.fr>
*Date: *Thursday, 16 June 2022 at 14:40
*To: *Marko Vrgotic <m.vrgo...@activevideo.com>, users@ovirt.org
<users@ovirt.org>
*Subject: *Re: [ovirt-users] oVirt 4.4.x step-by-step procedure to
renew expired oVirt certificates
***CAUTION: This email originated from outside of the organization. Do
not click links or open attachments unless you recognize the sender!!!***
Hello,
If you refer to:
1. engine apache certificate expiration ("PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:) to
access to ovirt console.
=> engine-setup --offline
2. hosts certificate expiration?
=> https://access.redhat.com/solutions/3532921
<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsolutions%2F3532921&data=05%7C01%7CM.Vrgotic%40activevideo.com%7C0c044a712ec345bfc0e208da4f956ba5%7C214268a3e1214486acd4545c9faf2252%7C0%7C0%7C637909800447577334%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vJdKkKWmUlUadBJdKZyi1s3xG%2FiadJXzCdubUI7Tci0%3D&reserved=0>
I also wrote a playbook to do so there:
https://galaxy.ansible.com/natman/ovirt_renew_certs
<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgalaxy.ansible.com%2Fnatman%2Fovirt_renew_certs&data=05%7C01%7CM.Vrgotic%40activevideo.com%7C0c044a712ec345bfc0e208da4f956ba5%7C214268a3e1214486acd4545c9faf2252%7C0%7C0%7C637909800447577334%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=TdI9MylDTwBjTPTGDikLjgmn5qm21PeTVU5oA6FzcFc%3D&reserved=0>
In this case, don't forget to renew certificate with UI (into
maintenance) when host is reponding, otherwise you may enconter
issues with console or live migration or other SSL related stuff.
tested and approved.
Le 16/06/2022 à 12:34, Marko Vrgotic a écrit :
Dear oVirt,
The oVirt SSL certificated were changed to one-year renewal and we
have a problem now.
We are running 4.4.x version with SHE on local storage cluster and
we have four more local storage clusters.
One the cluster running SHE, the engine and host certificates have
expired. We found the procedure for renewal prior to expiration,
but we do not have a mnual one, required once certificates have
expired.
Would you be so kind to share the manual or steps needed to fix
our oVirt setup.
Thank you in advance.
-----
kind regards/met vriendelijke groeten
Marko Vrgotic
Sr. System Engineer @ System Administration
ActiveVideo
*o: *+31 (35) 6774131
*m: +*31 (65) 5734174
*e:*m.vrgo...@activevideo.com <mailto:m.vrgo...@activevideo.com>
*w: *www.activevideo.com <http://www.activevideo.com>
ActiveVideo Networks BV. Mediacentrum 3745 Joop van den Endeplein
1.1217 WJ Hilversum, The Netherlands. The information contained in
this message may be legally privileged and confidential. It is
intended to be read only by the individual or entity to whom it is
addressed or by their designee. If the reader of this message is
not the intended recipient, you are on notice that any
distribution of this message, in any form, is strictly
prohibited. If you have received this message in error, please
immediately notify the sender and/or ActiveVideo Networks, LLC by
telephone at +1 408.931.9200 and delete or destroy any copy of
this message.
_______________________________________________
Users mailing list --users@ovirt.org
To unsubscribe send an email tousers-le...@ovirt.org
Privacy Statement:https://www.ovirt.org/privacy-policy.html
<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.html&data=05%7C01%7CM.Vrgotic%40activevideo.com%7C0c044a712ec345bfc0e208da4f956ba5%7C214268a3e1214486acd4545c9faf2252%7C0%7C0%7C637909800447577334%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8poVfx7c4bx56qhTA6uS97liTukzBAExm%2BzZLVlCfaY%3D&reserved=0>
oVirt Code of Conduct:https://www.ovirt.org/community/about/community-guidelines/
<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2F&data=05%7C01%7CM.Vrgotic%40activevideo.com%7C0c044a712ec345bfc0e208da4f956ba5%7C214268a3e1214486acd4545c9faf2252%7C0%7C0%7C637909800447577334%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=IKvaq2yh5RQiMoOphM0DbUL62DVzW8y6c5sdaYZ5OUc%3D&reserved=0>
List
Archives:https://lists.ovirt.org/archives/list/users@ovirt.org/message/5LOTLSGBZQAZQD7L76ZMGFALTHODKYKO/
<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2F5LOTLSGBZQAZQD7L76ZMGFALTHODKYKO%2F&data=05%7C01%7CM.Vrgotic%40activevideo.com%7C0c044a712ec345bfc0e208da4f956ba5%7C214268a3e1214486acd4545c9faf2252%7C0%7C0%7C637909800447577334%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=rYEmpj0TRfVwkp5%2B5FMs6%2BuUUYyEs9lY5erqWr5z4xw%3D&reserved=0>
--
Nathanaël Blanchet
Supervision réseau
SIRE
227 avenue Professeur-Jean-Louis-Viala
34193 MONTPELLIER CEDEX 5
Tél. 33 (0)4 67 54 84 55
Fax 33 (0)4 67 54 84 14
blanc...@abes.fr
--
Nathanaël Blanchet
Supervision réseau
SIRE
227 avenue Professeur-Jean-Louis-Viala
34193 MONTPELLIER CEDEX 5
Tél. 33 (0)4 67 54 84 55
Fax 33 (0)4 67 54 84 14
blanc...@abes.fr
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/CT4MHY4COXH6KF74W47JCV6SKHIL7QWI/
