Bug 1686445

Summary: hosted-engine deploy (restore-from-file) fails if certificates are not up to date in backup file.
Product: Red Hat Enterprise Virtualization Manager Reporter: Ameya Charekar <achareka>
Component: ovirt-hosted-engine-setupAssignee: Simone Tiraboschi <stirabos>
Status: CLOSED ERRATA QA Contact: Nikolai Sednev <nsednev>
Severity: low Docs Contact:
Priority: medium    
Version: 4.2.8-3CC: didi, lsurette, lsvaty, mtessun, sborella
Target Milestone: ovirt-4.3.3Keywords: Triaged
Target Release: 4.3.0Flags: lsvaty: testing_plan_complete-
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-hosted-engine-setup-2.3.7 Doc Type: If docs needed, set a value
Doc Text:
This bug fix allows the restore-from-file command to execute even if a certificate is not current or is expiring soon. If an error message persists while executing the command, one workaround is to renew the certificates at restore time prior to executing the command to restore-from-file.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-08 12:32:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1699913    
Bug Blocks:    

Description Ameya Charekar 2019-03-07 13:31:51 UTC
Description of problem:

The hosted-engine deploy (restore-from-file) fails, when engine-backup file does not have renewed certificates as engine-setup fails in "PKI CONFIGURATION":-

~~~
        "          --== PKI CONFIGURATION ==--",
        "         ",
        "          One or more of the certificates should be renewed, because they expire soon, or include an invalid expiry date, or do not include the subjectAltName extension, which can cause them to be rejected by recent browsers and up to date hosts.",
        "          See https://access.redhat.com/solutions/1572983 for more details.",
        "          Renew certificates? (Yes, No) [No]: ",
        "          Are you really sure that you want to skip the PKI renewal process?",
        "          Please notice that recent openssl and gnutls upgrades can lead hosts refusing this CA cert making them unusable.",
        "          If you choose \"Yes\", setup will continue and you will be asked again the next time you run this Setup. Otherwise, this process will abort and you will be expected to plan a proper upgrade according to https://access.redhat.com/solutions/1572983.",
        "          Skip PKI renewal process? (Yes, No) [No]: ",
        "[ ERROR ] Failed to execute stage 'Environment customization': Aborted by user",
        "[ INFO  ] Stage: Clean up",
        "          Log file is located at /var/log/ovirt-engine/setup/ovirt-engine-setup-20190228225058-gmnhe4.log",
        "[ INFO  ] Generating answer file '/var/lib/ovirt-engine/setup/answers/20190228225101-setup.conf'",
        "[ INFO  ] Stage: Pre-termination",
        "[ INFO  ] Stage: Termination",
        "[ ERROR ] Execution of setup failed"
    ]
~~~


Version-Release number of selected component (if applicable):
RHV 4.2.8-3

How reproducible:
Always


Steps to Reproduce:
1. Have a backup_file without renewed certificates.
2. hosted-engine --deploy --restore-from-file=backup/file_name
3. deployment fails

Actual results:
Deployment fails.

Expected results:
Deployment should be successful.

Additional info:
Workaround is to renew certificates before collecting backup file with engine-backup.

Comment 3 Yedidyah Bar David 2019-03-31 08:59:37 UTC
See also bug 1688184. Users should already be notified.

Comment 4 Nikolai Sednev 2019-04-16 21:41:52 UTC
During restore I saw appropriate message as follows:
Renew engine CA on restore if needed? Please notice that if you choose Yes, all hosts will have to be later manually reinstalled from the engine. (Yes, No)[No]: 
I continued with "No" option and restore got finished just fine.
Host had manually set date to later than appeared within the CA certificate in the engine's backup.

Tested using these components:
rhvm-appliance-4.3-20190409.0.el7.x86_64
virt-hosted-engine-setup-2.3.7-1.el7ev.noarch
ovirt-hosted-engine-ha-2.3.1-1.el7ev.noarch
Linux 3.10.0-957.10.1.el7.x86_64 #1 SMP Thu Feb 7 07:12:53 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Red Hat Enterprise Linux Server release 7.6 (Maipo)


Moving to verified.

Comment 6 errata-xmlrpc 2019-05-08 12:32:05 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:1050

Comment 7 Daniel Gur 2019-08-28 13:14:15 UTC
sync2jira

Comment 8 Daniel Gur 2019-08-28 13:19:17 UTC
sync2jira