Bug 1471196 - Adding a new host in engine running on fedora 26 fails
Summary: Adding a new host in engine running on fedora 26 fails
Alias: None
Product: ovirt-host-deploy
Classification: oVirt
Component: Plugins.VDSM
Version: master
Hardware: Unspecified
OS: Unspecified
Target Milestone: ovirt-4.2.0
: 1.7.0
Assignee: Yedidyah Bar David
QA Contact: samuel macko
Depends On: 1464199
Blocks: oVirt_on_Fedora
TreeView+ depends on / blocked
Reported: 2017-07-14 16:14 UTC by Benny Zlotnik
Modified: 2018-01-29 12:31 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-01-29 12:31:10 UTC
oVirt Team: Integration
rule-engine: ovirt-4.2+

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
oVirt gerrit 79474 master POST plugins: use openssl instead of m2crypto 2017-08-24 11:38:08 UTC
oVirt gerrit 82138 ovirt-host-deploy-1.6 ABANDONED plugins: use openssl instead of m2crypto 2017-09-24 13:19:21 UTC

Description Benny Zlotnik 2017-07-14 16:14:56 UTC
Description of problem:
After upgrading to fedora 26, adding a new host failed in my dev oVirt.
This is the relevant error:
Error reading certificate request in requests/
140451841218304:error:0D0E20DE:asn1 encoding routines:c2i_ibuf:illegal zero content:crypto/asn1/a_int.c:154:
140451841218304:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:609:Field=version, Type=X509_REQ_INFO
140451841218304:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:609:Field=req_info, Type=X509_REQ
140451841218304:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:crypto/pem/pem_oth.c:33:
Cannot sign certificate

This error is caused after share/ovirt-engine/bin/pki-enroll-request.sh runs.
This error can be reproduced by running "openssl req -text -noout -in /etc/pki/ovirt-engine/requests/<host>.req -verify"

After investigating this issue, it appears that it is caused by the fact fedora 26 is shipped with openssl-1.1.0, running the same openssl command on a machine with an older version of openssl completed successfully. The problematic .req file content seems to be generated by the m2crypto package which as it seems (I might be wrong) doesn't currently work with openssl-1.1.0[1]

I have managed to work around this issue by editing /usr/share/ovirt-host-deploy/plugins/ovirt-host-common/vdsm/pki.py and /usr/share/ovirt-host-deploy/plugins/ovirt-host-common/vmconsole/pki.py to not use m2crypto and use openssl directly to generate the files

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Upgrade to openssl-1.1.0
2. Attempt to add a new host

Actual results:
Fails at the PKI enrollment stage
irector] (VdsDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] EVENT_ID: VDS_INSTALL_IN_PROGRESS(509), Installing Host hostan. Stage: Misc configuration.
irector] (VdsDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] EVENT_ID: VDS_INSTALL_IN_PROGRESS(509), Installing Host hostan. Enrolling certificate.
irector] (VdsDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] EVENT_ID: VDS_INSTALL_IN_PROGRESS(509), Installing Host hostan. Enrolling serial console certificate.
sDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] Sign Certificate request failed with exit code 1
sDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] Sign Certificate request script errors:

:crypto/asn1/tasn_dec.c:609:Field=version, Type=X509_REQ_INFO
:crypto/asn1/tasn_dec.c:609:Field=req_info, Type=X509_REQ

Expected results:
Should succeed

Additional info:
[1] - https://gitlab.com/m2crypto/m2crypto/merge_requests/98

Comment 1 Benny Zlotnik 2017-07-14 16:16:21 UTC
Note: I am probably wrong about the product/component/team, please move this to the relevant people

Comment 2 Sandro Bonazzola 2017-07-17 10:02:02 UTC
We're planning to remove m2crypto dependency in 4.2 so it should solve this issue as side effect.
If you already dropped m2crypto in your local system I'd like to ask you contributing a patch to ovirt-host-deploy speeding up the process fixing this issue.

Comment 3 Benny Zlotnik 2017-07-17 11:10:25 UTC
I've submitted a patch

Note You need to log in before you can comment on or make changes to this bug.