Bug 2075352
Summary: | upgrading RHV-H does not renew certificate | ||
---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Marcus West <mwest> |
Component: | vdsm | Assignee: | Michal Skrivanek <michal.skrivanek> |
Status: | CLOSED ERRATA | QA Contact: | cshao <cshao> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 4.4.10 | CC: | cdwertma, emarcus, lsurette, michal.skrivanek, mkalinin, mperina, srevivo, yaniwang, ycui |
Target Milestone: | ovirt-4.5.0-1 | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | 4.5.0-10 | Doc Type: | Rebase: Bug Fixes and Enhancements |
Doc Text: |
The following changes have been made to the way certificates are generated:
Internal CA is issued for 20 years.
Internal certificates are valid for 5 years.
Internal HTTPS certificates (apache, websocket proxy) are valid for 398 days.
CA is renewed 60 days before expiration.
Certificates are renewed 365 days before expiration (CertExpirationWarnPeriodInDays configurable via engine-config).
CertExpirationAlertPeriodInDays (defaulting to 30) is now also configurable by engine-config.
Note that engine certificates and CA are checked/renewed only during engine-setup. Certificates on hosts are renewed/checked during host upgrade or a manual Enroll certificates action.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-05-26 16:24:18 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2079890 | ||
Bug Blocks: |
Description
Marcus West
2022-04-14 00:00:06 UTC
cluster_upgrade executes 'Host Upgrade' flow for each host and as a part of cluster upgrade certificates are renewed only 7 days before expiring (this period has been extended to 30 days as a part of BZ2056126). If you want to force renewing certificate, you need to run 'Enroll Certificate' for each affected host. @mperina Consider the following scenario: On day 1 I install RHV. Between days 2 and 368 I may or may not upgrade the RHV cluster from time to time, but the certificates do not get renewed during this period. Between days 369 and 398 I don't upgrade the cluster, maybe because there is no new update available. On day 399 my production cluster falls apart as the certificates have expired. I manage all RHV clusters via ansible only and never use the UI, so I didn't see any of the cert expiry warning popups. I know that the "re-enroll" function renews the certificate regardless of how many days are left in the validity period. What is the logic behind the "renew certs during upgrade only when there is less than 30 days validity remaining" rule? (In reply to Christoph Dwertmann from comment #6) > @mperina Consider the following scenario: > > On day 1 I install RHV. Between days 2 and 368 I may or may not upgrade the > RHV cluster from time to time, but the certificates do not get renewed > during this period. Between days 369 and 398 I don't upgrade the cluster, > maybe because there is no new update available. On day 399 my production > cluster falls apart as the certificates have expired. correct > I manage all RHV clusters via ansible only and never use the UI, so I didn't > see any of the cert expiry warning popups. you should route the warnings (e.g. using ovirt-engine-notifier) to the system that you use, SNMP traps, emails... Not watching for any alert/error coming from RHV is not a good idea in general. > I know that the "re-enroll" function renews the certificate regardless of > how many days are left in the validity period. What is the logic behind the > "renew certs during upgrade only when there is less than 30 days validity > remaining" rule? it's not the best logic, it's a result of various changes and adjustment in the past, and it's indeed problematic. We're fixing that in bug 2079890 upstream bug is moving to 4.5.0-1, moving this accordingly Test version: rhvh-4.4.6.1-0.20210527.0 rhvh-4.4.10.3-0.20220321.0 engine 4.5.0-10 Test steps: 1. Install rhvh-4.4.6.1-0.20210527.0 2. register to engine 4.5.0-10 3. upgrade to rhvh-4.4.10.3-0.20220321.0 4. manual Enroll certificates Test result: 1. After step 3, Certificates on hosts are not renewed 2. After step 4, Certificates on hosts are renewed. # openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem -noout -dates notBefore=May 10 17:29:07 2022 GMT notAfter=May 12 17:29:07 2027 GMT # openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem -noout -dates notBefore=May 10 18:38:07 2022 GMT notAfter=May 12 18:38:07 2027 GMT So the bug is fixed, change bug status to VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:4711 |