One important note: ln -sf /etc/pki/vdsm/libvirt-vnc/server-key.pem /etc/pki/vdsm/libvirt-migrate/client-key.pem ln -sf /etc/pki/vdsm/libvirt-vnc/server-cert.pem /etc/pki/vdsm/libvirt-migrate/client-cert.pem
Enrol will fail if client-*.pem doesn't exist and/or is not a symbolic link. - Gilboa On Tue, Dec 27, 2022 at 5:29 AM dhanaraj.ramesh--- via Users < users@ovirt.org> wrote: > No worries, we call came across this issue. As long as the hosted engine > is running is Gluster, you can shutdown and bring up in any other nodes. > Now in order for you to bring the node up in the cluster, you will have to > manually replace the vdsm cert in each nodes, follow by re-enroll the > certificate > > the steps are > > # To check CERT expired > # openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem -noout -dates > > 1. Backup vdsm folder > # cd /etc/pki > # mv vdsm vdsm.orig > # mkdir vdsm ; chown vdsm:kvm vdsm > # cd vdsm > # mkdir libvirt-vnc certs keys libvirt-spice libvirt-migrate > # chown vdsm:kvm libvirt-vnc certs keys libvirt-spice libvirt-migrate > > 2. Regenerate cert & keys > # vdsm-tool configure --module certificates > > 3. Copy the cert to destination location > chmod 440 /etc/pki/vdsm/keys/vdsmkey.pem > chown root /etc/pki/vdsmcerts/*pem > chmod 644 /etc/pki/vdsmcerts/*pem > > cp /etc/pki/vdsm/certs/cacert.pem > /etc/pki/vdsm/libvirt-spice/ca-cert.pem > cp /etc/pki/vdsm/keys/vdsmkey.pem > /etc/pki/vdsm/libvirt-spice/server-key.pem > cp /etc/pki/vdsm/certs/vdsmcert.pem > /etc/pki/vdsm/libvirt-spice/server-cert.pem > > cp /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-vnc/ca-cert.pem > cp /etc/pki/vdsm/keys/vdsmkey.pem > /etc/pki/vdsm/libvirt-vnc/server-key.pem > cp /etc/pki/vdsm/certs/vdsmcert.pem > /etc/pki/vdsm/libvirt-vnc/server-cert.pem > > cp -p /etc/pki/vdsm/certs/cacert.pem > /etc/pki/vdsm/libvirt-migrate/ca-cert.pem > cp -p /etc/pki/vdsm/keys/vdsmkey.pem > /etc/pki/vdsm/libvirt-migrate/server-key.pem > cp -p /etc/pki/vdsm/certs/vdsmcert.pem > /etc/pki/vdsm/libvirt-migrate/server-cert.pem > > chown root:qemu /etc/pki/vdsm/libvirt-migrate/server-key.pem > > cp -p /etc/pki/vdsm.orig/keys/libvirt_password /etc/pki/vdsm/keys/ > > mv /etc/pki/libvirt/clientcert.pem /etc/pki/libvirt/clientcert.pem.orig > mv /etc/pki/libvirt/private/clientkey.pem > /etc/pki/libvirt/private/clientkey.pem.orig > mv /etc/pki/CA/cacert.pem /etc/pki/CA/cacert.pem.orig > > cp -p /etc/pki/vdsm/certs/vdsmcert.pem /etc/pki/libvirt/clientcert.pem > cp -p /etc/pki/vdsm/keys/vdsmkey.pem > /etc/pki/libvirt/private/clientkey.pem > cp -p /etc/pki/vdsm/certs/cacert.pem /etc/pki/CA/cacert.pem > > > 3. cross check the backup folder /etc/pki/vdsm.orig vs /etc/pki/vdsm > # refer to /etc/pki/vdsm.orig/*/ and set the correct owner & group > permission in /etc/pki/vdsm/*/ > > 4. restart services # Make sure both services are up > systemctl restart vdsmd libvirtd > > 5. reboot the node and confirm the host has been rebooted manually, and > put the host in maintenance mode > > 6. enroll certificate. (DO NOT re-install), exit the maintenance mode > > > Cheers from Singapore. > _______________________________________________ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/XWS5LKNFTLH2A4ZJFOJFCW6ZZ6QBMNTS/ >
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/RRLJXWDOH4DZJEL4HASU6GI7ETOSXD7N/
