Bug 1783337

Summary: Rename tools does not renew certificates and engine config for websocket
Product: [oVirt] ovirt-engine Reporter: Ivana Saranova <isaranov>
Component: Tools.RenameAssignee: Yedidyah Bar David <didi>
Status: CLOSED CURRENTRELEASE QA Contact: Ivana Saranova <isaranov>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.4.0CC: bugs, didi, lleistne
Target Milestone: ovirt-4.4.1Flags: pm-rhel: ovirt-4.4+
sbonazzo: planning_ack?
sbonazzo: devel_ack+
lleistne: testing_ack+
Target Release: 4.4.1.7   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.4.1.7 Doc Type: Bug Fix
Doc Text:
Previously, the rename tool did not renew the `websocketproxy` certificates and did not update the value of `WebSocketProxy` in the engine configuration. This caused issues such as the VNC browser console not being able to connect to the server. The current release fixes this issue. Now, `ovirt-engine-rename` handles the websocket proxy correctly. It regenerates the certificate, restarts the service, and updates the value of `WebSocketProxy`.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-05 06:25:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1853196    

Description Ivana Saranova 2019-12-13 15:27:45 UTC 
Description of problem:
After using the rename tool, the websocketproxy certificates are not renewed and WebSocketProxy value in engine config is not updated. This causes for example VNC browser console not connecting to the server.

Version-Release number of selected component (if applicable):
ovirt-engine-4.4.0-0.0.master.20191204120550.git04d5d05.el7.noarch
ovirt-engine-websocket-proxy-4.4.0-0.0.master.20191204120550.git04d5d05.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1. Run rename tool
2. Check websocketproxy certificates, for example subject name
3. Check engine config WebSocketProxy value

Actual results:
Websocketproxy certificates and WebSocketProxy in engine-config contain the old hostname or IP.

Expected results:
Websocketproxy certificates and WebSocketProxy in engine-config contain the new hostname or IP.

Additional info:
Workaround was to change the value in engine-config
``` engine-config -s WebSocketProxy=10-37-137-181.rhev.lab.eng.brq.redhat.com:6100 ```
and renew the certificates like this: https://access.redhat.com/solutions/1289423
Comment 1 Sandro Bonazzola 2019-12-18 08:11:46 UTC 
We need to conside also what happens if websocket proxy is not running on the same host running the engine.
Comment 2 Ivana Saranova 2020-07-13 20:31:06 UTC 
Steps:
1. Run rename tool (also run engine-setup and reboot if needed)
2. Check websocketproxy certificates, for example subject name
`vi /etc/pki/ovirt-engine/certs/websocket-proxy.cer`
3. Check engine config WebSocketProxy value
`engine-config -g WebSocketProxy`


Results:
The Engine config value is correct and the subject CN value in websocket-proxy and apache cers is also correct.
 
However, some records where subject was not correct were found in cers for engine, jboss and vmconsole-proxy-helper. A separate issue for this should be created.

Verified in:
ovirt-engine-4.4.1.8-0.7.el8ev.noarch
ovirt-engine-websocket-proxy-4.4.1.8-0.7.el8ev.noarch
Comment 3 Sandro Bonazzola 2020-08-05 06:25:30 UTC 
This bugzilla is included in oVirt 4.4.1 release, published on July 8th 2020.

Since the problem described in this bug report should be resolved in oVirt 4.4.1 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.
Comment 4 Rolfe Dlugy-Hegwer 2020-08-15 15:45:47 UTC 
Please review the updated Doc Text. Thank you.
Comment 5 Yedidyah Bar David 2020-08-18 06:54:23 UTC 
Looks good to me.