Description of problem: Originally reported by Lucie Leistnerova. 'engine-backup --mode=restore' restores also all of /etc/pki/ovirt-engine. Most of it is data generated by engine-setup and the engine, but the following files are not - they are packaged in ovirt-engine-backend: /etc/pki/ovirt-engine/cacert.template.in /etc/pki/ovirt-engine/cert.template.in /etc/pki/ovirt-engine/openssl.conf So they should not be restored. There is another complication about them - they are marked in the spec file as '%config(noreplace)', meaning they are considered configuration files, and are not replaced by yum update if a user changed them. This bug affects the following flows, as far as we managed to find. There might be others: Flow 1: - engine-setup on 4.1.1 - engine-backup --mode=backup --file=b411 on some other machine: - install 4.1.2 - engine-backup --mode=restore --file=b411 - engine-setup Apply the workaround described in bug 1449084 comment 5 for that bug Result is: # /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name="${name}" --password=mypass --subject="${subject}" --keep-key --san=DNS:"${ENGINE_FQDN}" MAC verified OK Using configuration from openssl.conf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' organizationName :ASN.1 12:'eng.lab.tlv.redhat.com' commonName :ASN.1 12:'didi-rhv41-engine.eng.lab.tlv.redhat.com' ERROR: adding extensions in section v3_ca_san Cannot sign certificate Cannot sign request Because of the overwritten cert.template.in. Flow 2: - engine-setup on 4.1.1 - engine-backup --mode=backup --file=b411 on some other machine: - install 4.1.2 - engine-backup --mode=restore --file=b411 - engine-setup - engine-cleanup - engine-setup Results in a similar error in the setup log. It might affect other flows we didn't try yet involving pki, in particular will very likely fail an upgrade that also renews pki (bug 1214860). Version-Release number of selected component (if applicable): Current 4.1.2 How reproducible: Always Steps to Reproduce: 1. See above 2. 3. Actual results: Files overwritten by restore Expected results: Files kept untouched Additional info: A workaround: rm /etc/pki/ovirt-engine/cert.template.in (perhaps other files, but above is enough for the above flows) yum reinstall ovirt-engine-backend engine-setup
This bug probably exists since 3.3 or so, but was not discovered so far because we rarely change these files. However, we recently changed them - for bug 1449084 (4.1.2) and for sha256 [1] (4.1.0). [1] https://www.ovirt.org/documentation/how-to/migrate-pki-to-sha256/
The linked patch is enough if the bug is included in 4.1.2. If we fix in 4.1.3, we might want to consider what to do with an already-existing bad file from previous restore to 4.1.2 - since, as explained above, it's not overwritten by updates (because of '%config(noreplace)').
Updated doc text adding a workaround for 4.1.2.
engine-backup doesn't overwrite files cacert.template.in, cert.template.in and openssl.conf. Issue with backup - setup - cleanup - setup was not reproduced. verified in ovirt-engine-4.1.3.2-0.1.el7.noarch