Hi I think I will stick with the default certificate 398 days rule. To renew the certificate automatically I am thinking to write a script and run engine-setup which will detect the certificate are close to expire such as following
* --== PKI CONFIGURATION ==-- One or more of the certificates should be renewed, because they expire soon, or include an invalid expiry date, or they were created with validity period longer than 398 days, or do not include the subjectAltName extension, which can cause them to be rejected by recent browsers and up to date hosts. See https://www.ovirt.org/develop/release-management/features/infra/pki-renew/ <https://www.ovirt.org/develop/release-management/features/infra/pki-renew/> for more details. Renew certificates? (Yes, No) [No]:* However I see a couple of problems 1. engine-setup must be run with offline option because otherwise it will try to update the packages which I want to avoid, when offline is used do the VM running in the KVM hosts be stopped? Can this be done online? It is a pain if every time I need to renew the certificates I have to stop the entire virtualization environment. 2. To script and run this process as a cron job can we run engine-setup non-interactively? Thanks On Sat, Nov 4, 2023 at 6:47 PM LS CHENG <lsc.or...@gmail.com> wrote: > Hi > > Yes it is generated with engine-setup. > > How do you extend the certificate validation value in engine-setup? (I am > aware that browser can have problems with long duration certificates as > explained in > https://techbeacon.com/security/google-apple-mozilla-enforce-1-year-max-security-certifications > ) > > Thanks > > On Sat, Nov 4, 2023 at 6:39 PM Matej Dujava <ov...@kocurkovo.cz> wrote: > >> Hi, >> >> By self signed cert, you mean managed cert generated by ovirt itself >> (engine-setup)? >> >> I found an issue https://bugzilla.redhat.com/show_bug.cgi?id=1824103 where >> it's mentioned that safari (maybe other browsers too) have problem with >> long self signed CA. Of it's not affecting your clients you can change >> values and regenerate cert by engine-setup. >> >> You can always generate SSL cert by hand (openssl or cfssl ...) and >> replace it with following >> https://www.ovirt.org/documentation/administration_guide/#Replacing_the_Manager_CA_Certificate >> . >> >> >> On 4 November 2023 14:18:26 CET, LS CHENG <lsc.or...@gmail.com> wrote: >> >>> Hi again >>> >>> Forgot to mention that I am using self signed certificates >>> >>> Thank you >>> >>> >>> >>> On Sat, Nov 4, 2023 at 2:07 PM LS CHENG <lsc.or...@gmail.com> wrote: >>> >>>> Hi all >>>> >>>> I am running Oracle Linux Virtualization Manager 4.4. >>>> >>>> The default expiration length for apache.cer and websocket-proxy.cer is >>>> 1 year, is there a way to extend them to 10 years? >>>> >>>> Thank you >>>> >>>> >>>>
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/U2ELXBFRBVC26USZECMFAC2NGXVF6WED/
