Get Host Capabilities failed: General SSLEngine problem
NOTE: Experimental steps. Use at your own discretion. Also note that ultimately, these steps didn't resolve the subject errors though they were successful in updating the VDSM certs. I ended up blowing the cluster away (as I didn't have much on it anyway).
Getting this with oVirt?
VDSM mdskvm-p01.nix.mds.xyz command Get Host Capabilities failed: General SSLEngine problem
You may need to regenerate the certificates:
[root@ovirt01 ~]# openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem -enddate -noout ; date
notAfter=Apr 8 17:12:07 2019 GMT
Wed Sep 25 18:22:02 EDT 2019
[root@ovirt01 ~]#
Process is (use mypass as the pass):
# cp -a /etc/pki/ovirt-engine "/etc/pki/ovirt-engine.$(date "+%Y%m%d")"
# SUBJECT="$(openssl x509 -subject -noout -in /etc/pki/ovirt-engine/certs/apache.cer | sed 's/subject= //')"
# /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=apache --password="@PASSWORD@" --subject="${SUBJECT}"
# openssl pkcs12 -passin "pass:@PASSWORD@" -nokeys -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/certs/apache.cer
# openssl pkcs12 -passin "pass:@PASSWORD@" -nocerts -nodes -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/keys/apache.key.nopass
# chmod 0600 /etc/pki/ovirt-engine/keys/apache.key.nopass
Certificate renewals:
https://access.redhat.com/solutions/3028811
Steps to renew other certs:
# cd /usr/share/ovirt-engine/bin/
# SUB="ovirt01.nix.mds.xyz"; SUBA="ovirt01.nix.mds.xyz";
# ./pki-create-ca.sh –subject=/C=US/O=$SUB/CN=$SUBA –keystore-password=mypass
# ./pki-enroll-pkcs12.sh –name=engine –password=mypass –subject=/C=US/O=$SUB/CN=$SUBA
# ./pki-enroll-pkcs12.sh –name=jboss –password=mypass –subject=/C=US/O=$SUB/CN=$SUBA
# ./pki-enroll-pkcs12.sh –name=apache –password=mypass –subject=/C=US/O=$SUB/CN=$SUBA
# ./pki-enroll-pkcs12.sh –name=websocket-proxy –password=mypass –subject=/C=US/O=$SUB/CN=$SUBA
# ./pki-enroll-request.sh –name=engine –subject=/C=US/O=$SUB/CN=$SUBA –days=1800
# ./pki-enroll-request.sh –name=jboss –subject=/C=US/O=$SUB/CN=$SUBA –days=1800
# ./pki-enroll-request.sh –name=apache –subject=/C=US/O=$SUB/CN=$SUBA –days=1800
# ./pki-enroll-request.sh –name=websocket-proxy –subject=/C=US/O=$SUB/CN=$SUBA –days=1800
# openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /etc/pki/ovirt-engine/keys/apache.key.nopass
# openssl pkcs12 -in /etc/pki/ovirt-engine/keys/websocket-proxy.p12 -nocerts -nodes > /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
enter import password —> mypass
# ls -al /etc/pki/ovirt-engine/keys/*.key.nopass
# ls -al /etc/pki/ovirt-engine/keys/*.p12
# chown ovirt.root /etc/pki/ovirt-engine/keys/engine.p12
# chown ovirt.root /etc/pki/ovirt-engine/keys/jboss.p12
# chown ovirt.ovirt /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
# chmod 600 /etc/pki/ovirt-engine/keys/*
# ls -al /etc/pki/ovirt-engine/keys/*.key.nopass
# ls -al /etc/pki/ovirt-engine/keys/*.p12
A handy script for this is:
[root@ovirt01 bin]# cat /root/ovirt-renew.sh
#!/bin/bash
cd /usr/share/ovirt-engine/bin/
SUB="ovirt01.nix.mds.xyz"; SUBA="ovirt01.nix.mds.xyz";
cp -a /etc/pki/ovirt-engine "/etc/pki/ovirt-engine.$(date "+%Y%m%d")"
SUBJECT="$(openssl x509 -subject -noout -in /etc/pki/ovirt-engine/certs/apache.cer | sed 's/subject= //')"
/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh –name=apache –password="@PASSWORD@" –subject="${SUBJECT}"
openssl pkcs12 -passin "pass:@PASSWORD@" -nokeys -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/certs/apache.cer
openssl pkcs12 -passin "pass:@PASSWORD@" -nocerts -nodes -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/keys/apache.key.nopass
chmod 0600 /etc/pki/ovirt-engine/keys/apache.key.nopass
sleep 5;
./pki-create-ca.sh –subject=/C=US/O=$SUB/CN=$SUBA –keystore-password=mypass
./pki-enroll-pkcs12.sh –name=engine –password=mypass –subject=/C=US/O=$SUB/CN=$SUBA
./pki-enroll-pkcs12.sh –name=jboss –password=mypass –subject=/C=US/O=$SUB/CN=$SUBA
./pki-enroll-pkcs12.sh –name=apache –password=mypass –subject=/C=US/O=$SUB/CN=$SUBA
./pki-enroll-pkcs12.sh –name=websocket-proxy –password=mypass –subject=/C=US/O=$SUB/CN=$SUBA
./pki-enroll-request.sh –name=engine –subject=/C=US/O=$SUB/CN=$SUBA –days=1800
./pki-enroll-request.sh –name=jboss –subject=/C=US/O=$SUB/CN=$SUBA –days=1800
./pki-enroll-request.sh –name=apache –subject=/C=US/O=$SUB/CN=$SUBA –days=1800
./pki-enroll-request.sh –name=websocket-proxy –subject=/C=US/O=$SUB/CN=$SUBA –days=1800
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /etc/pki/ovirt-engine/keys/apache.key.nopass
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/websocket-proxy.p12 -nocerts -nodes > /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
ls -al /etc/pki/ovirt-engine/keys/*.key.nopass
ls -al /etc/pki/ovirt-engine/keys/*.p12
chown ovirt.root /etc/pki/ovirt-engine/keys/engine.p12
chown ovirt.root /etc/pki/ovirt-engine/keys/jboss.p12
chown ovirt.ovirt /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
chmod 600 /etc/pki/ovirt-engine/keys/*
ls -al /etc/pki/ovirt-engine/keys/*.key.nopass
ls -al /etc/pki/ovirt-engine/keys/*.p12
[root@ovirt01 bin]#
Next run engine-setup:
[root@ovirt01 ovirt-engine]# engine-setup
–== PKI CONFIGURATION ==–
One or more of the certificates should be renewed, because they expire soon, or include an invalid expiry date, or do not include the subjectAltName extension, which can cause them to be rejected by recent browsers and up to date hosts.
See https://www.ovirt.org/develop/release-management/features/infra/pki-renew/ for more details.
Renew certificates? (Yes, No) [No]: Yes
At some point above it will ask to renew certificates. Do so. To venew the VDSM certs, use the following command:
[root@ovirt01 ovirt-engine]#
[root@ovirt01 ovirt-engine]# /usr/libexec/vdsm/vdsm-gencerts.sh /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/keys/vdsmkey.pem /etc/pki/vdsm/certs/vdsmcert.pem
[root@ovirt01 ovirt-engine]# ls -altri /usr/libexec/vdsm/vdsm-gencerts.sh /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/keys/vdsmkey.pem /etc/pki/vdsm/certs/vdsmcert.pem
137408334 -rwxr-xr-x. 1 root root 2362 Jul 9 05:36 /usr/libexec/vdsm/vdsm-gencerts.sh
68603465 -rw——-. 1 vdsm kvm 5823 Sep 28 14:49 /etc/pki/vdsm/keys/vdsmkey.pem
508026 -rw——-. 1 vdsm kvm 1127 Sep 28 14:49 /etc/pki/vdsm/certs/cacert.pem
492099 -rw——-. 1 vdsm kvm 1237 Sep 28 14:49 /etc/pki/vdsm/certs/vdsmcert.pem
[root@ovirt01 ovirt-engine]# openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem -noout -dates
notBefore=Sep 27 18:49:14 2019 GMT
notAfter=Sep 27 18:49:15 2020 GMT
[root@ovirt01 ovirt-engine]# vi /usr/libexec/vdsm/vdsm-gencerts.sh
[root@ovirt01 ovirt-engine]#
[root@ovirt01 ovirt-engine]#
Do the same on the host:
[root@mdskvm-p01 vdsm]# /usr/libexec/vdsm/vdsm-gencerts.sh /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/keys/vdsmkey.pem /etc/pki/vdsm/certs/vdsmcert.pem
[root@mdskvm-p01 vdsm]#
[root@mdskvm-p01 vdsm]# ls -altri /usr/libexec/vdsm/vdsm-gencerts.sh /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/keys/vdsmkey.pem /etc/pki/vdsm/certs/vdsmcert.pem
67445862 -rwxr-xr-x. 1 root root 2362 Jul 9 05:36 /usr/libexec/vdsm/vdsm-gencerts.sh
45255 -rw——-. 1 vdsm kvm 5816 Sep 28 17:48 /etc/pki/vdsm/keys/vdsmkey.pem
203185926 -rw——-. 1 vdsm kvm 1127 Sep 28 17:48 /etc/pki/vdsm/certs/cacert.pem
203185790 -rw——-. 1 vdsm kvm 1241 Sep 28 17:48 /etc/pki/vdsm/certs/vdsmcert.pem
[root@mdskvm-p01 vdsm]#
Additional notes from the oVirt community:
Have this page but it's for version 3.
https://access.redhat.com/solutions/2409751
I wasn't aware of this page. It's quite old, but mostly correct.
However, if you do not mind host downtime, it's much easier to re-enroll
certificates for all hosts, instead of the manual steps mentioned there
(that are quite old, perhaps not up-to-date).
Thinking the process didn't change much but wanted to ask if there's
anything more recent floating around.
I am not aware of anything specifically doing what you want.
Related pages you might want to check:
1. Section "Replacing SHA-1 Certificates with SHA-256 Certificates" of:
https://www.ovirt.org/documentation/upgrade-guide/chap-Post-Upgrade_Tasks.html
2. Only now I noticed that it does not mention the option --san for
setting SubjectAltName. It does appear here:
https://www.ovirt.org/documentation/admin-guide/chap-Utilities.html
See also:
https://www.ovirt.org/develop/release-management/features/infra/pki-renew.html
So I guess (didn't try recently) that if you follow the existing procedures
and generate pki without --san, a later engine-setup will prompt you to renew.
Best regards,
— Didi
If all of the above fails, force remove a host and add it back in:
https://raw.github.com/dougsland/misc-rhev/master/engine_force_remove_Host.py
Cheers,
TK