Description of problem: After upgrading to fedora 26, adding a new host failed in my dev oVirt. This is the relevant error: Error reading certificate request in requests/10.35.0.152-ssh.req 140451841218304:error:0D0E20DE:asn1 encoding routines:c2i_ibuf:illegal zero content:crypto/asn1/a_int.c:154: 140451841218304:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:609:Field=version, Type=X509_REQ_INFO 140451841218304:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:609:Field=req_info, Type=X509_REQ 140451841218304:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:crypto/pem/pem_oth.c:33: Cannot sign certificate This error is caused after share/ovirt-engine/bin/pki-enroll-request.sh runs. This error can be reproduced by running "openssl req -text -noout -in /etc/pki/ovirt-engine/requests/<host>.req -verify" After investigating this issue, it appears that it is caused by the fact fedora 26 is shipped with openssl-1.1.0, running the same openssl command on a machine with an older version of openssl completed successfully. The problematic .req file content seems to be generated by the m2crypto package which as it seems (I might be wrong) doesn't currently work with openssl-1.1.0[1] I have managed to work around this issue by editing /usr/share/ovirt-host-deploy/plugins/ovirt-host-common/vdsm/pki.py and /usr/share/ovirt-host-deploy/plugins/ovirt-host-common/vmconsole/pki.py to not use m2crypto and use openssl directly to generate the files Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. Upgrade to openssl-1.1.0 2. Attempt to add a new host Actual results: Fails at the PKI enrollment stage irector] (VdsDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] EVENT_ID: VDS_INSTALL_IN_PROGRESS(509), Installing Host hostan. Stage: Misc configuration. irector] (VdsDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] EVENT_ID: VDS_INSTALL_IN_PROGRESS(509), Installing Host hostan. Enrolling certificate. irector] (VdsDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] EVENT_ID: VDS_INSTALL_IN_PROGRESS(509), Installing Host hostan. Enrolling serial console certificate. sDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] Sign Certificate request failed with exit code 1 sDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] Sign Certificate request script errors: /a_int.c:154: :crypto/asn1/tasn_dec.c:609:Field=version, Type=X509_REQ_INFO :crypto/asn1/tasn_dec.c:609:Field=req_info, Type=X509_REQ Expected results: Should succeed Additional info: [1] - https://gitlab.com/m2crypto/m2crypto/merge_requests/98
Note: I am probably wrong about the product/component/team, please move this to the relevant people
We're planning to remove m2crypto dependency in 4.2 so it should solve this issue as side effect. If you already dropped m2crypto in your local system I'd like to ask you contributing a patch to ovirt-host-deploy speeding up the process fixing this issue.
I've submitted a patch