Patrick Hibbs <hibbsncc1...@gmail.com> writes: > That error is saying the enrollment script cannot access the serial.txt > file to generate the new certificate's serial number. That file should > be located at /etc/pki/ovirt-engine/serial.txt Owned by the ovirt user > / group. (Oddly enough on my system that file is world readable / > writable. Which seems like it should be wrong...)
It is wrong and it is being handled in https://github.com/oVirt/ovirt-engine/pull/477. > There may also be backup files of it in that same directory. > > If the file doesn't exist at all and there are no backups: You could > try to create a new one by figuring out what the highest serial number > issued by the internal ca is, incrementing it by one, and echoing that > into a new serial.txt file. (Setting permissions as appropriate.) > Although in this case, I'd ask why the file was deleted in the first > place. It might be related to https://bugzilla.redhat.com/2088446 but I don't know any details. Regards, Milan > -Patrick Hibbs > > On Wed, 2022-07-20 at 19:44 +0000, xavi...@rogers.com wrote: >> Log: >> >> 2022-07-20 17:50:43 UTC - TASK [ovirt-host-deploy-vdsm-certificates : >> Run PKI enroll request for vdsm and QEMU] *** >> 2022-07-20 17:50:43 UTC - >> 2022-07-20 17:50:43 UTC - { >> "status" : "OK", >> "msg" : "", >> "data" : { >> "uuid" : "67f44c2c-edf2-454b-ab5f-a3a6e3076ddc", >> "counter" : 179, >> "stdout" : "", >> "start_line" : 171, >> "end_line" : 171, >> "runner_ident" : "6b4c5f52-0854-11ed-b044-00163e598f5b", >> "event" : "runner_on_failed", >> "pid" : 32040, >> "created" : "2022-07-20T17:50:43.065710", >> "parent_uuid" : "00163e59-8f5b-ba87-8722-0000000002a4", >> "event_data" : { >> "playbook" : "ovirt-host-deploy.yml", >> "playbook_uuid" : "4f7a6915-ae99-445b-ac02-ba66bbd1aa57", >> "play" : "all", >> "play_uuid" : "00163e59-8f5b-ba87-8722-000000000008", >> "play_pattern" : "all", >> "task" : "Run PKI enroll request for vdsm and QEMU", >> "task_uuid" : "00163e59-8f5b-ba87-8722-0000000002a4", >> "task_action" : "command", >> "task_args" : "", >> "task_path" : "/usr/share/ovirt-engine/ansible-runner-service- >> project/project/roles/ovirt-host-deploy-vdsm- >> certificates/tasks/main.yml:38", >> "role" : "ovirt-host-deploy-vdsm-certificates", >> "host" : "xnet-node-02.xnet.local", >> "remote_addr" : "xnet-node-02.xnet.local", >> "res" : { >> "results" : [ { >> "msg" : "non-zero return code", >> "cmd" : [ "/usr/share/ovirt-engine/bin/pki-enroll- >> request.sh", "--name=xnet-node-02.xnet.local", "-- >> subject=/O=xnet.local/CN=xnet-node-02.xnet.local", "--san=DNS:xnet- >> node-02.xnet.local", "--days=398", "--timeout=30", "--ca-file=ca", "- >> -cert-dir=certs", "--req-dir=requests" ], >> "stdout" : "", >> "stderr" : "Using configuration from openssl.conf\nunable >> to load number from serial.txt\nerror while loading serial >> number\n140364123252544:error:0D066096:asn1 encoding >> routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:\nCannot >> sign certificate", >> "rc" : 1, >> "start" : "2022-07-20 17:50:42.811555", >> "end" : "2022-07-20 17:50:42.840405", >> "delta" : "0:00:00.028850", >> "changed" : true, >> "failed" : true, >> "invocation" : { >> "module_args" : { >> "_raw_params" : "\"/usr/share/ovirt-engine/bin/pki- >> enroll-request.sh\"\n\"--name=xnet-node-02.xnet.local\"\n\"-- >> subject=/O=xnet.local/CN=xnet-node-02.xnet.local\"\n\"--san=DNS:xnet- >> node-02.xnet.local\"\n\"--days=398\"\n\"--timeout=30\"\n\"--ca- >> file=ca\"\n\"--cert-dir=certs\"\n\"--req-dir=requests\"\n", >> "warn" : true, >> "_uses_shell" : false, >> "stdin_add_newline" : true, >> "strip_empty_ends" : true, >> "argv" : null, >> "chdir" : null, >> "executable" : null, >> "creates" : null, >> "removes" : null, >> "stdin" : null >> } >> }, >> "stdout_lines" : [ ], >> "stderr_lines" : [ "Using configuration from openssl.conf", >> "unable to load number from serial.txt", "error while loading serial >> number", "140364123252544:error:0D066096:asn1 encoding >> routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:", >> "Cannot sign certificate" ], >> "_ansible_no_log" : false, >> "item" : { >> "ou" : "", >> "ca_file" : "ca", >> "cert_dir" : "certs", >> "req_dir" : "requests" >> }, >> "ansible_loop_var" : "item", >> "_ansible_item_label" : { >> "ou" : "", >> "ca_file" : "ca", >> "cert_dir" : "certs", >> "req_dir" : "requests" >> } >> }, { >> "msg" : "non-zero return code", >> "cmd" : [ "/usr/share/ovirt-engine/bin/pki-enroll- >> request.sh", "--name=xnet-node-02.xnet.local", "-- >> subject=/O=xnet.local/CN=xnet-node-02.xnet.local/OU=qemu", "-- >> san=DNS:xnet-node-02.xnet.local", "--days=398", "--timeout=30", "-- >> ca-file=qemu-ca", "--cert-dir=certs-qemu", "--req-dir=requests-qemu" >> ], >> "stdout" : "", >> "stderr" : "Using configuration from openssl.conf\nunable >> to load number from serial.txt\nerror while loading serial >> number\n140005905663808:error:0D066096:asn1 encoding >> routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:\nCannot >> sign certificate", >> "rc" : 1, >> "start" : "2022-07-20 17:50:43.015979", >> "end" : "2022-07-20 17:50:43.043930", >> "delta" : "0:00:00.027951", >> "changed" : true, >> "failed" : true, >> "invocation" : { >> "module_args" : { >> "_raw_params" : "\"/usr/share/ovirt-engine/bin/pki- >> enroll-request.sh\"\n\"--name=xnet-node-02.xnet.local\"\n\"-- >> subject=/O=xnet.local/CN=xnet-node-02.xnet.local/OU=qemu\"\n\"-- >> san=DNS:xnet-node-02.xnet.local\"\n\"--days=398\"\n\"-- >> timeout=30\"\n\"--ca-file=qemu-ca\"\n\"--cert-dir=certs-qemu\"\n\"-- >> req-dir=requests-qemu\"\n", >> "warn" : true, >> "_uses_shell" : false, >> "stdin_add_newline" : true, >> "strip_empty_ends" : true, >> "argv" : null, >> "chdir" : null, >> "executable" : null, >> "creates" : null, >> "removes" : null, >> "stdin" : null >> } >> }, >> "stdout_lines" : [ ], >> "stderr_lines" : [ "Using configuration from openssl.conf", >> "unable to load number from serial.txt", "error while loading serial >> number", "140005905663808:error:0D066096:asn1 encoding >> routines:a2i_ASN1_INTEGER:short line:crypto/asn1/f_int.c:140:", >> "Cannot sign certificate" ], >> "_ansible_no_log" : false, >> "item" : { >> "ou" : "/OU=qemu", >> "ca_file" : "qemu-ca", >> "cert_dir" : "certs-qemu", >> "req_dir" : "requests-qemu" >> }, >> "ansible_loop_var" : "item", >> "_ansible_item_label" : { >> "ou" : "/OU=qemu", >> "ca_file" : "qemu-ca", >> "cert_dir" : "certs-qemu", >> "req_dir" : "requests-qemu" >> } >> } ], >> "changed" : true, >> "msg" : "All items completed" >> }, >> "start" : "2022-07-20T17:50:42.639821", >> "end" : "2022-07-20T17:50:43.065519", >> "duration" : 0.425698, >> "ignore_errors" : null, >> "event_loop" : "items", >> "uuid" : "67f44c2c-edf2-454b-ab5f-a3a6e3076ddc" >> } >> } >> } >> _______________________________________________ >> Users mailing list -- users@ovirt.org >> To unsubscribe send an email to users-le...@ovirt.org >> Privacy Statement: https://www.ovirt.org/privacy-policy.html >> oVirt Code of Conduct: >> https://www.ovirt.org/community/about/community-guidelines/ >> List Archives: >> https://lists.ovirt.org/archives/list/users@ovirt.org/message/AWB77BK4CLJZ34PMN45MOE4TPFK7GPLD/ > > _______________________________________________ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/7SUDHL5ULD3K52VQAWSRXBQASFV2G3AE/ _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/A5ARTRLEUEW6HHYD2C2I7C5Q6RDRVDJV/