Description of problem:
When a host certificate expires, that host goes non-responsive and becomes unmanageable. When Engine certificates expire, the admin and other web portals stop responding. All from the simple passage of time.
When this happens, the consequences range from unpleasant to catastrophic, especially for organizations that run critical VMs. Now that certificates only last 13 months, RHV needs to prominently document the consequences when they expire and how to renew them and avoid those unpleasant consequences.
Version-Release number of selected component (if applicable):
4.4
How reproducible:
At will
Steps to Reproduce:
1. Build a RHV environment.
2. Operate it for 398 days without renewing host and Engine certificates.
3.
Actual results:
Everything dies when the certificates expire.
Expected results:
The official documentation should warn customers about what will happen when the certificates expire and how to avoid it.
Additional info:
See https://access.redhat.com/solutions/6865861 for how to renew host and Engine certificates.
Certificate renewal should be a periodic administrative task, and so the logical place to document this is a new section 3.4 in the RHV 4.4 Administrator's Guide. Section 3.3 is Setting up errata viewing with Red Hat Satellite. The existing section 3.4 is Automating tasks using Ansible. Move the old section 3.4 to 3.5, 3.5 to 3.6, 3.6 to 3.7, and so forth, and insert a new section 3.4 titled, "You Must Renew Host and Engine Certificates Annually." Bold and italics on "Must." Use text from the above KCS solution to document how to renew the certificates and what will happen if not renewed.
Update the Release Notes to reference this new Admin Guide section. It might also make sense to reference it from the Upgrade Guide, since RHV certificate renewals were part of upgrades in older versions when certificates lasted five years.