Hi, On Thu, Dec 15, 2022 at 3:29 PM Vinz Vinz <v...@itiviti.com> wrote: > > Hi Team, > > we are using a custom certificate on the engine apache GUI > /etc/pki/ovirt-engine/certs/apache.cer (following > https://myhomelab.gr/linux/2020/01/20/replacing_ovirt_ssl.html)
I didn't know this doc so far, and am sorry if the doc on ovirt.org (linked from it) is not enough. Patches/questions/issues are welcome! I think it makes more sense to refine and perfect the "official" documentation than to have each of us write his own blog post with a "patch", unless it details specific/local issues that are not relevant for a general document but would still be useful for other people. >and it works fine. The certificate is valid for a very long period. (Good for maintenance minimization, not so good for security. But not the scope of current email...) > > It seems the vdsm certificate (/etc/pki/vdsm/certs/vdsmcert.pem), on hosts > side, has been renewed automatically at that time, but for only one year. "at that time", meaning by following the official doc? Or the above link? I didn't read it, but it does not mention "vdsm". Perhaps it wasn't exactly at that time, but due to some other update/action/whatever? You can try to correlate the cert start time with your (engine+vdsm) logs. Anyway, the hosts certs were indeed made shorter at some point, but then back longer. So it greatly depends what exact version you used while you touched them. See also this bug, and the linked patches: https://bugzilla.redhat.com/show_bug.cgi?id=2079835 I think the previous point was: https://bugzilla.redhat.com/show_bug.cgi?id=1824103 Meaning: Until 4.4.2 it was 1800 days, 4.4.3 to 4.5.0.6 it was 398 days, and since 4.5.0.7 it's 1827 days. You should see a large part of the relevant history, even if I am not sure all of it, but checking the git log of this file, searching for "days". I usually search a somewhat-upper subdirectory, e.g. "packaging" - good enough when searching locally with 'git log' (and 'less'), less convenient on a browser: https://github.com/mz-pdm/ovirt-engine/commits/master/packaging/bin/pki-enroll-request.sh > > Now we wonder, what will happen when the vdsm certificate will expire? hosts > will stop to be in the cluster? Not sure, I think they'll become non-responsive. Disclaimer: I am not an expert on engine<->vdsm comm. > if yes what should we do to avoid that? The standard approach is to move each host to maintenance, then "Enroll Cert" from the menu, then activate. > is there a possibility to also apply our custom cert as vdsm cert? No. > > This is for ovirt 4.4 running on rhel8 If 4.4 > 4.4.3, then indeed you got 398 days. But again, this isn't part of the apache cert replacement procedure - more likely you did 'Enroll Cert', or reinstalled, or something like that. Good luck, -- Didi _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/NCWVNRNZ6TZWRTRIJ5W6UXBGPXZDTXAD/
