Bug 2056021
| Summary: | [BUG]: "Enroll Certificate" operation not updating libvirt-vnc cert and key | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | nsurati |
| Component: | ovirt-engine | Assignee: | Dana <delfassy> |
| Status: | CLOSED ERRATA | QA Contact: | Pavol Brilla <pbrilla> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.4.9 | CC: | andrew, emarcus, mavital, mperina, pbrilla, rik.theys |
| Target Milestone: | ovirt-4.5.0 | ||
| Target Release: | 4.5.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ovirt-engine-4.5.0.1 | Doc Type: | Release Note |
| Doc Text: |
Previously, renewing of the libvirt-vnc certificate was omitted during the Enroll Certificate flow. With the release of RHV 4.4 SP1 and libvirt-vnc certificates are renewed during the Enroll Certificate flow.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-26 16:23:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
nsurati
2022-02-18 12:09:16 UTC
Hi, We are affected by this bug as our libvirt-vnc certificate has expired. We can no longer start/migrate VM's on these hosts. Are there any instructions on how to manually update these certificates until this issue is resolved? Regards, Rik Rik, If only vnc certs affected. Following steps should help Please run following command to on Host to renew VNC certs. # TIMESTAMP=$(date +%Y%m%d%H%M%S) # mv -v /etc/pki/vdsm/libvirt-vnc/server-cert.pem etc/pki/vdsm/libvirt-vnc/server-cert.pem.$TIMESTAMP # mv -v /etc/pki/vdsm/libvirt-vnc/server-key.pem etc/pki/vdsm/libvirt-vnc/server-key.pem.$TIMESTAMP # cp -v /etc/pki/vdsm/libvirt-spice/server-cert.pem /etc/pki/vdsm/libvirt-vnc/server-cert.pem # cp -v /etc/pki/vdsm/libvirt-spice/server-key.pem /etc/pki/vdsm/libvirt-vnc/server-key.pem Hi, (In reply to nsurati from comment #3) > > If only vnc certs affected. Following steps should help > I used this workaround (using a symlink instead of copying the file) to make sure I can start/migrate VM's again, but it seems the VNC console no longer works. Which is strange as I don't see any specific settings in the original cert and they seem signed by the same CA, so I'm not sure if this problem existed before. Regards, Rik (In reply to Rik Theys from comment #4) > Hi, > > (In reply to nsurati from comment #3) > > > > If only vnc certs affected. Following steps should help > > > > I used this workaround (using a symlink instead of copying the file) to make > sure I can start/migrate VM's again, but it seems the VNC console no longer > works. > > Which is strange as I don't see any specific settings in the original cert > and they seem signed by the same CA, so I'm not sure if this problem existed > before. > > Regards, > Rik You can try couple of things to conclude. - Restart vdsmd and libvirtd service ( Note: Power Management Host should be disable while restarting ) - shutdown and then start the VM. OR just try to create new VM and take console. Verified on Software Version:4.5.0.5-0.7.el8ev Enroll Certificate updated also server-cert.pem on host machine Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:4711 Due to QE capacity, we are not going to cover this issue in our automation |