Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1471196

Summary: Adding a new host in engine running on fedora 26 fails
Product: [oVirt] ovirt-host-deploy Reporter: Benny Zlotnik <bzlotnik>
Component: Plugins.VDSMAssignee: Yedidyah Bar David <didi>
Status: CLOSED UPSTREAM QA Contact: samuel macko <smacko>
Severity: medium Docs Contact:
Priority: unspecified    
Version: masterCC: bugs, bzlotnik, danken, jniederm, lsvaty, pasik
Target Milestone: ovirt-4.2.0Flags: rule-engine: ovirt-4.2+
Target Release: 1.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-29 12:31:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1464199    
Bug Blocks: 1460625    

Description Benny Zlotnik 2017-07-14 16:14:56 UTC 
Description of problem:
After upgrading to fedora 26, adding a new host failed in my dev oVirt.
This is the relevant error:
Error reading certificate request in requests/10.35.0.152-ssh.req
140451841218304:error:0D0E20DE:asn1 encoding routines:c2i_ibuf:illegal zero content:crypto/asn1/a_int.c:154:
140451841218304:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:609:Field=version, Type=X509_REQ_INFO
140451841218304:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:609:Field=req_info, Type=X509_REQ
140451841218304:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:crypto/pem/pem_oth.c:33:
Cannot sign certificate

This error is caused after share/ovirt-engine/bin/pki-enroll-request.sh runs.
This error can be reproduced by running "openssl req -text -noout -in /etc/pki/ovirt-engine/requests/<host>.req -verify"

After investigating this issue, it appears that it is caused by the fact fedora 26 is shipped with openssl-1.1.0, running the same openssl command on a machine with an older version of openssl completed successfully. The problematic .req file content seems to be generated by the m2crypto package which as it seems (I might be wrong) doesn't currently work with openssl-1.1.0[1]

I have managed to work around this issue by editing /usr/share/ovirt-host-deploy/plugins/ovirt-host-common/vdsm/pki.py and /usr/share/ovirt-host-deploy/plugins/ovirt-host-common/vmconsole/pki.py to not use m2crypto and use openssl directly to generate the files

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Upgrade to openssl-1.1.0
2. Attempt to add a new host

Actual results:
Fails at the PKI enrollment stage
irector] (VdsDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] EVENT_ID: VDS_INSTALL_IN_PROGRESS(509), Installing Host hostan. Stage: Misc configuration.
irector] (VdsDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] EVENT_ID: VDS_INSTALL_IN_PROGRESS(509), Installing Host hostan. Enrolling certificate.
irector] (VdsDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] EVENT_ID: VDS_INSTALL_IN_PROGRESS(509), Installing Host hostan. Enrolling serial console certificate.
sDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] Sign Certificate request failed with exit code 1
sDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] Sign Certificate request script errors:


/a_int.c:154:
:crypto/asn1/tasn_dec.c:609:Field=version, Type=X509_REQ_INFO
:crypto/asn1/tasn_dec.c:609:Field=req_info, Type=X509_REQ

Expected results:
Should succeed


Additional info:
[1] - https://gitlab.com/m2crypto/m2crypto/merge_requests/98
Comment 1 Benny Zlotnik 2017-07-14 16:16:21 UTC 
Note: I am probably wrong about the product/component/team, please move this to the relevant people
Comment 2 Sandro Bonazzola 2017-07-17 10:02:02 UTC 
We're planning to remove m2crypto dependency in 4.2 so it should solve this issue as side effect.
If you already dropped m2crypto in your local system I'd like to ask you contributing a patch to ovirt-host-deploy speeding up the process fixing this issue.
Comment 3 Benny Zlotnik 2017-07-17 11:10:25 UTC 
I've submitted a patch