1471196 – Adding a new host in engine running on fedora 26 fails

Bug 1471196 - Adding a new host in engine running on fedora 26 fails

Summary: Adding a new host in engine running on fedora 26 fails

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	ovirt-host-deploy
Classification:	oVirt
Component:	Plugins.VDSM
Sub Component:
Version:	master
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	ovirt-4.2.0
Target Release:	1.7.0
Assignee:	Yedidyah Bar David
QA Contact:	samuel macko
Docs Contact:
URL:
Whiteboard:
Depends On:	1464199
Blocks:	oVirt_on_Fedora
TreeView+	depends on / blocked

Reported:	2017-07-14 16:14 UTC by Benny Zlotnik
Modified:	2018-01-29 12:31 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-01-29 12:31:10 UTC
oVirt Team:	Integration
Embargoed:
Dependent Products:
Flags:	rule-engine: ovirt-4.2+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	79474	0	master	POST	plugins: use openssl instead of m2crypto	2017-08-24 11:38:08 UTC
oVirt gerrit	82138	0	ovirt-host-deploy-1.6	ABANDONED	plugins: use openssl instead of m2crypto	2017-09-24 13:19:21 UTC

Description Benny Zlotnik 2017-07-14 16:14:56 UTC

Description of problem:
After upgrading to fedora 26, adding a new host failed in my dev oVirt.
This is the relevant error:
Error reading certificate request in requests/10.35.0.152-ssh.req
140451841218304:error:0D0E20DE:asn1 encoding routines:c2i_ibuf:illegal zero content:crypto/asn1/a_int.c:154:
140451841218304:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:609:Field=version, Type=X509_REQ_INFO
140451841218304:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:609:Field=req_info, Type=X509_REQ
140451841218304:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:crypto/pem/pem_oth.c:33:
Cannot sign certificate

This error is caused after share/ovirt-engine/bin/pki-enroll-request.sh runs.
This error can be reproduced by running "openssl req -text -noout -in /etc/pki/ovirt-engine/requests/<host>.req -verify"

After investigating this issue, it appears that it is caused by the fact fedora 26 is shipped with openssl-1.1.0, running the same openssl command on a machine with an older version of openssl completed successfully. The problematic .req file content seems to be generated by the m2crypto package which as it seems (I might be wrong) doesn't currently work with openssl-1.1.0[1]

I have managed to work around this issue by editing /usr/share/ovirt-host-deploy/plugins/ovirt-host-common/vdsm/pki.py and /usr/share/ovirt-host-deploy/plugins/ovirt-host-common/vmconsole/pki.py to not use m2crypto and use openssl directly to generate the files

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Upgrade to openssl-1.1.0
2. Attempt to add a new host

Actual results:
Fails at the PKI enrollment stage
irector] (VdsDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] EVENT_ID: VDS_INSTALL_IN_PROGRESS(509), Installing Host hostan. Stage: Misc configuration.
irector] (VdsDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] EVENT_ID: VDS_INSTALL_IN_PROGRESS(509), Installing Host hostan. Enrolling certificate.
irector] (VdsDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] EVENT_ID: VDS_INSTALL_IN_PROGRESS(509), Installing Host hostan. Enrolling serial console certificate.
sDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] Sign Certificate request failed with exit code 1
sDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] Sign Certificate request script errors:


/a_int.c:154:
:crypto/asn1/tasn_dec.c:609:Field=version, Type=X509_REQ_INFO
:crypto/asn1/tasn_dec.c:609:Field=req_info, Type=X509_REQ

Expected results:
Should succeed


Additional info:
[1] - https://gitlab.com/m2crypto/m2crypto/merge_requests/98

Comment 1 Benny Zlotnik 2017-07-14 16:16:21 UTC

Note: I am probably wrong about the product/component/team, please move this to the relevant people

Comment 2 Sandro Bonazzola 2017-07-17 10:02:02 UTC

We're planning to remove m2crypto dependency in 4.2 so it should solve this issue as side effect.
If you already dropped m2crypto in your local system I'd like to ask you contributing a patch to ovirt-host-deploy speeding up the process fixing this issue.

Comment 3 Benny Zlotnik 2017-07-17 11:10:25 UTC

I've submitted a patch

Note You need to log in before you can comment on or make changes to this bug.