Header Shadow Image


Get Host Capabilities failed: General SSLEngine problem

NOTE: Experimental steps.  Use at your own discretion.  Also note that ultimately, these steps didn't resolve the subject errors though they were successful in updating the VDSM certs.  I ended up blowing the cluster away (as I didn't have much on it anyway).

Getting this with oVirt?

VDSM mdskvm-p01.nix.mds.xyz command Get Host Capabilities failed: General SSLEngine problem

You may need to regenerate the certificates:

[root@ovirt01 ~]# openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem -enddate -noout ; date
notAfter=Apr  8 17:12:07 2019 GMT
Wed Sep 25 18:22:02 EDT 2019
[root@ovirt01 ~]#

Process is (use mypass as the pass):

# cp -a /etc/pki/ovirt-engine "/etc/pki/ovirt-engine.$(date "+%Y%m%d")"
# SUBJECT="$(openssl x509 -subject -noout -in /etc/pki/ovirt-engine/certs/apache.cer | sed 's/subject= //')"
# /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=apache --password="@PASSWORD@" --subject="${SUBJECT}"
# openssl pkcs12 -passin "pass:@PASSWORD@" -nokeys -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/certs/apache.cer
# openssl pkcs12 -passin "pass:@PASSWORD@" -nocerts -nodes -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/keys/apache.key.nopass
# chmod 0600 /etc/pki/ovirt-engine/keys/apache.key.nopass

Certificate renewals:

https://access.redhat.com/solutions/3028811

Steps to renew other certs:

# cd /usr/share/ovirt-engine/bin/
# SUB="ovirt01.nix.mds.xyz"; SUBA="ovirt01.nix.mds.xyz";

# ./pki-create-ca.sh –subject=/C=US/O=$SUB/CN=$SUBA –keystore-password=mypass

# ./pki-enroll-pkcs12.sh –name=engine –password=mypass –subject=/C=US/O=$SUB/CN=$SUBA
# ./pki-enroll-pkcs12.sh –name=jboss –password=mypass –subject=/C=US/O=$SUB/CN=$SUBA
# ./pki-enroll-pkcs12.sh –name=apache –password=mypass –subject=/C=US/O=$SUB/CN=$SUBA
# ./pki-enroll-pkcs12.sh –name=websocket-proxy –password=mypass –subject=/C=US/O=$SUB/CN=$SUBA

# ./pki-enroll-request.sh –name=engine –subject=/C=US/O=$SUB/CN=$SUBA –days=1800
# ./pki-enroll-request.sh –name=jboss –subject=/C=US/O=$SUB/CN=$SUBA –days=1800
# ./pki-enroll-request.sh –name=apache –subject=/C=US/O=$SUB/CN=$SUBA –days=1800
# ./pki-enroll-request.sh –name=websocket-proxy –subject=/C=US/O=$SUB/CN=$SUBA –days=1800


# openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /etc/pki/ovirt-engine/keys/apache.key.nopass
# openssl pkcs12 -in /etc/pki/ovirt-engine/keys/websocket-proxy.p12 -nocerts -nodes > /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
  enter import password  —> mypass


# ls -al /etc/pki/ovirt-engine/keys/*.key.nopass
# ls -al /etc/pki/ovirt-engine/keys/*.p12
# chown ovirt.root /etc/pki/ovirt-engine/keys/engine.p12
# chown ovirt.root /etc/pki/ovirt-engine/keys/jboss.p12
# chown ovirt.ovirt /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
# chmod 600 /etc/pki/ovirt-engine/keys/*
# ls -al /etc/pki/ovirt-engine/keys/*.key.nopass
# ls -al /etc/pki/ovirt-engine/keys/*.p12

A handy script for this is:

[root@ovirt01 bin]# cat /root/ovirt-renew.sh
#!/bin/bash

cd /usr/share/ovirt-engine/bin/
SUB="ovirt01.nix.mds.xyz"; SUBA="ovirt01.nix.mds.xyz";

cp -a /etc/pki/ovirt-engine "/etc/pki/ovirt-engine.$(date "+%Y%m%d")"
SUBJECT="$(openssl x509 -subject -noout -in /etc/pki/ovirt-engine/certs/apache.cer | sed 's/subject= //')"
/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh –name=apache –password="@PASSWORD@" –subject="${SUBJECT}"
openssl pkcs12 -passin "pass:@PASSWORD@" -nokeys -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/certs/apache.cer
openssl pkcs12 -passin "pass:@PASSWORD@" -nocerts -nodes -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/keys/apache.key.nopass
chmod 0600 /etc/pki/ovirt-engine/keys/apache.key.nopass

sleep 5;

./pki-create-ca.sh –subject=/C=US/O=$SUB/CN=$SUBA –keystore-password=mypass

./pki-enroll-pkcs12.sh –name=engine –password=mypass –subject=/C=US/O=$SUB/CN=$SUBA
./pki-enroll-pkcs12.sh –name=jboss –password=mypass –subject=/C=US/O=$SUB/CN=$SUBA
./pki-enroll-pkcs12.sh –name=apache –password=mypass –subject=/C=US/O=$SUB/CN=$SUBA
./pki-enroll-pkcs12.sh –name=websocket-proxy –password=mypass –subject=/C=US/O=$SUB/CN=$SUBA

./pki-enroll-request.sh –name=engine –subject=/C=US/O=$SUB/CN=$SUBA –days=1800
./pki-enroll-request.sh –name=jboss –subject=/C=US/O=$SUB/CN=$SUBA –days=1800
./pki-enroll-request.sh –name=apache –subject=/C=US/O=$SUB/CN=$SUBA –days=1800
./pki-enroll-request.sh –name=websocket-proxy –subject=/C=US/O=$SUB/CN=$SUBA –days=1800


openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /etc/pki/ovirt-engine/keys/apache.key.nopass
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/websocket-proxy.p12 -nocerts -nodes > /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass


ls -al /etc/pki/ovirt-engine/keys/*.key.nopass
ls -al /etc/pki/ovirt-engine/keys/*.p12
chown ovirt.root /etc/pki/ovirt-engine/keys/engine.p12
chown ovirt.root /etc/pki/ovirt-engine/keys/jboss.p12
chown ovirt.ovirt /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
chmod 600 /etc/pki/ovirt-engine/keys/*
ls -al /etc/pki/ovirt-engine/keys/*.key.nopass
ls -al /etc/pki/ovirt-engine/keys/*.p12

[root@ovirt01 bin]#

Next run engine-setup:

[root@ovirt01 ovirt-engine]# engine-setup
          –== PKI CONFIGURATION ==–

          One or more of the certificates should be renewed, because they expire soon, or include an invalid expiry date, or do not include the subjectAltName extension, which can cause them to be rejected by recent browsers and up to date hosts.
          See https://www.ovirt.org/develop/release-management/features/infra/pki-renew/ for more details.
          Renew certificates? (Yes, No) [No]: Yes

At some point above it will ask to renew certificates.  Do so.  To venew the VDSM certs, use the following command:

[root@ovirt01 ovirt-engine]#
[root@ovirt01 ovirt-engine]# /usr/libexec/vdsm/vdsm-gencerts.sh /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/keys/vdsmkey.pem  /etc/pki/vdsm/certs/vdsmcert.pem
[root@ovirt01 ovirt-engine]# ls -altri /usr/libexec/vdsm/vdsm-gencerts.sh /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/keys/vdsmkey.pem  /etc/pki/vdsm/certs/vdsmcert.pem
137408334 -rwxr-xr-x. 1 root root 2362 Jul  9 05:36 /usr/libexec/vdsm/vdsm-gencerts.sh
 68603465 -rw——-. 1 vdsm kvm  5823 Sep 28 14:49 /etc/pki/vdsm/keys/vdsmkey.pem
   508026 -rw——-. 1 vdsm kvm  1127 Sep 28 14:49 /etc/pki/vdsm/certs/cacert.pem
   492099 -rw——-. 1 vdsm kvm  1237 Sep 28 14:49 /etc/pki/vdsm/certs/vdsmcert.pem
[root@ovirt01 ovirt-engine]# openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem -noout   -dates
notBefore=Sep 27 18:49:14 2019 GMT
notAfter=Sep 27 18:49:15 2020 GMT
[root@ovirt01 ovirt-engine]# vi /usr/libexec/vdsm/vdsm-gencerts.sh
[root@ovirt01 ovirt-engine]#
[root@ovirt01 ovirt-engine]#

 

Do the same on the host:

[root@mdskvm-p01 vdsm]# /usr/libexec/vdsm/vdsm-gencerts.sh /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/keys/vdsmkey.pem  /etc/pki/vdsm/certs/vdsmcert.pem
[root@mdskvm-p01 vdsm]#
[root@mdskvm-p01 vdsm]# ls -altri /usr/libexec/vdsm/vdsm-gencerts.sh /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/keys/vdsmkey.pem  /etc/pki/vdsm/certs/vdsmcert.pem
 67445862 -rwxr-xr-x. 1 root root 2362 Jul  9 05:36 /usr/libexec/vdsm/vdsm-gencerts.sh
    45255 -rw——-. 1 vdsm kvm  5816 Sep 28 17:48 /etc/pki/vdsm/keys/vdsmkey.pem
203185926 -rw——-. 1 vdsm kvm  1127 Sep 28 17:48 /etc/pki/vdsm/certs/cacert.pem
203185790 -rw——-. 1 vdsm kvm  1241 Sep 28 17:48 /etc/pki/vdsm/certs/vdsmcert.pem
[root@mdskvm-p01 vdsm]#

Additional notes from the oVirt community:

Have this page but it's for version 3.

https://access.redhat.com/solutions/2409751
I wasn't aware of this page. It's quite old, but mostly correct.
However, if you do not mind host downtime, it's much easier to re-enroll
certificates for all hosts, instead of the manual steps mentioned there
(that are quite old, perhaps not up-to-date).

Thinking the process didn't change much but wanted to ask if there's
anything more recent floating around.
I am not aware of anything specifically doing what you want.

Related pages you might want to check:

1. Section "Replacing SHA-1 Certificates with SHA-256 Certificates" of:

https://www.ovirt.org/documentation/upgrade-guide/chap-Post-Upgrade_Tasks.html

2. Only now I noticed that it does not mention the option --san for
setting SubjectAltName. It does appear here:

https://www.ovirt.org/documentation/admin-guide/chap-Utilities.html

See also:

https://www.ovirt.org/develop/release-management/features/infra/pki-renew.html

So I guess (didn't try recently) that if you follow the existing procedures
and generate pki without --san, a later engine-setup will prompt you to renew.

Best regards,

— Didi

If all of the above fails, force remove a host and add it back in:

https://raw.github.com/dougsland/misc-rhev/master/engine_force_remove_Host.py

Cheers,
TK


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License