Bug 1988496
| Summary: | vmconsole-proxy-helper.cer is not renewed when running engine-setup | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Federico Sun <fsun> |
| Component: | ovirt-engine | Assignee: | Milan Zamazal <mzamazal> |
| Status: | CLOSED ERRATA | QA Contact: | Qin Yuan <qiyuan> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.4.6 | CC: | ableisch, ahadas, alolivei, betrayonu, bugs, emarcus, ffutigam, mavital, michal.skrivanek, mzamazal, nsurati, sbonazzo |
| Target Milestone: | ovirt-4.5.0-1 | Keywords: | ZStream |
| Target Release: | 4.5.0 | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ovirt-engine-4.5.0.5 | Doc Type: | Bug Fix |
| Doc Text: |
Previously, the vmconsole-proxy-helper certificate was not renewed when needed. With this release, the certificate is renewed each time following the CA certificate update.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-26 16:23:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Virt | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Federico Sun
2021-07-30 16:38:00 UTC
A workaround: # cd /etc/pki/ovirt-engine # rm ./keys/vmconsole-proxy-helper.p12 ./keys/vmconsole-proxy-helper.key.nopass ./certs/vmconsole-proxy-helper.cer # engine-setup --offline I consider not touching/using the renew code but instead do something like [1], but for the helper. I think it should be enough, and due to the need to handle EKU, much simpler. [1] https://gerrit.ovirt.org/c/ovirt-engine/+/108416 Milan, can you please have a look and/or take over? Thanks. I'll look at it. The current fix only renews vmconsole cert when the engine CA cert is newer than the vmconsole cert. Moving back to assigned for also renewing vmconsole cert when engine CA cert has longer expiration than vmconsole cert and the vmconsole cert has expired. *** Bug 2077907 has been marked as a duplicate of this bug. *** Verified with: ovirt-engine-4.5.0.5-0.7.el8ev.noarch Steps: 1. Update engine CA cert to make it newer than vmconsole-proxy-helper.cer, then run `engine-setup --offline` and check if vmconsole-proxy-helper.cer is refreshed. 2. Make vmconsole-proxy-helper.cer expire, but engine CA not expire, such as changing the system date, then run `engine-setup --offline` and check if vmconsole-proxy-helper.cer is refreshed. Results: 1. vmconsole-proxy-helper.cer is refreshed during engine-setup when the engine CA cert is updated. 2. vmconsole-proxy-helper.cer is refreshed during engine-setup when vmconsole-proxy-helper.cer is expired. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:4711 Due to QE capacity, we are not going to cover this issue in our automation running engine-setup should give you the opportunity to update expired or expiring certificates. If you don't want to upgrade your system you can run it with the offline option on https://asmallworldcup.com |