Bug 1286607 - RHEV-M upgrade to 3.5.4 fails with error "Command '/usr/bin/openssl' failed to execute" for custom apache.p12
RHEV-M upgrade to 3.5.4 fails with error "Command '/usr/bin/openssl' failed ...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine (Show other bugs)
3.5.4
Unspecified Unspecified
medium Severity medium
: ovirt-3.5.7
: 3.5.7
Assigned To: Yedidyah Bar David
Gonza
integration
: ZStream
Depends On: 1260752
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-30 05:18 EST by rhev-integ
Modified: 2016-01-14 08:51 EST (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1260752
Environment:
Last Closed: 2016-01-12 15:40:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Integration
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 1605173 None None None Never
oVirt gerrit 49172 master MERGED packaging: setup: pki: Do not fail if pkcs12 unreadable Never
oVirt gerrit 49408 ovirt-engine-3.6 MERGED packaging: setup: pki: Do not fail if pkcs12 unreadable Never
oVirt gerrit 49409 ovirt-engine-3.5 MERGED packaging: setup: pki: Do not fail if pkcs12 unreadable Never

  None (edit)
Comment 1 Yedidyah Bar David 2015-11-30 05:37:34 EST
Note to QE (copied from cloned bug 1260752 comment 7):

Current patch makes engine-setup output the following in such a case:

 [WARNING] Failed to read or parse '/etc/pki/ovirt-engine/keys/apache.p12'
           Perhaps it was changed since last Setup.
           Error was:
           Mac verify error: invalid password?

It will do that twice per file - once during customization, right before asking whether to renew the CA, and again while actually renewing.

I personally verified that by just changing the passphrase of apache.p12 and websocket-proxy.p12 .

Please try also other combinations, e.g. also engine.p12 or jboss.p12 (might break stuff, doc (link above) mentions only apache.p12), and also by using a key/cert signed by a 3rd party CA, both using passphrase 'mypass' and something different.
Comment 2 Gonza 2015-12-21 10:26:46 EST
Verified with:
ovirt-engine-3.4.4-1.el6.noarch -> ovirt-engine-3.5.7.1-0.0.master.20151220162429.git1e35eec.el6.noarch
Comment 5 errata-xmlrpc 2016-01-12 15:40:42 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0029.html

Note You need to log in before you can comment on or make changes to this bug.