Bug 1471196 - Adding a new host in engine running on fedora 26 fails
Adding a new host in engine running on fedora 26 fails
Status: ON_QA
Product: ovirt-host-deploy
Classification: oVirt
Component: Plugins.VDSM (Show other bugs)
master
Unspecified Unspecified
unspecified Severity medium (vote)
: ovirt-4.2.0
: 1.7.0
Assigned To: Yedidyah Bar David
samuel macko
:
Depends On: 1464199
Blocks: oVirt_on_Fedora
  Show dependency treegraph
 
Reported: 2017-07-14 12:14 EDT by Benny Zlotnik
Modified: 2017-10-03 04:01 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Integration
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rule-engine: ovirt‑4.2+


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 79474 master POST plugins: use openssl instead of m2crypto 2017-08-24 07:38 EDT
oVirt gerrit 82138 ovirt-host-deploy-1.6 ABANDONED plugins: use openssl instead of m2crypto 2017-09-24 09:19 EDT

  None (edit)
Description Benny Zlotnik 2017-07-14 12:14:56 EDT
Description of problem:
After upgrading to fedora 26, adding a new host failed in my dev oVirt.
This is the relevant error:
Error reading certificate request in requests/10.35.0.152-ssh.req
140451841218304:error:0D0E20DE:asn1 encoding routines:c2i_ibuf:illegal zero content:crypto/asn1/a_int.c:154:
140451841218304:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:609:Field=version, Type=X509_REQ_INFO
140451841218304:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:609:Field=req_info, Type=X509_REQ
140451841218304:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:crypto/pem/pem_oth.c:33:
Cannot sign certificate

This error is caused after share/ovirt-engine/bin/pki-enroll-request.sh runs.
This error can be reproduced by running "openssl req -text -noout -in /etc/pki/ovirt-engine/requests/<host>.req -verify"

After investigating this issue, it appears that it is caused by the fact fedora 26 is shipped with openssl-1.1.0, running the same openssl command on a machine with an older version of openssl completed successfully. The problematic .req file content seems to be generated by the m2crypto package which as it seems (I might be wrong) doesn't currently work with openssl-1.1.0[1]

I have managed to work around this issue by editing /usr/share/ovirt-host-deploy/plugins/ovirt-host-common/vdsm/pki.py and /usr/share/ovirt-host-deploy/plugins/ovirt-host-common/vmconsole/pki.py to not use m2crypto and use openssl directly to generate the files

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Upgrade to openssl-1.1.0
2. Attempt to add a new host

Actual results:
Fails at the PKI enrollment stage
irector] (VdsDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] EVENT_ID: VDS_INSTALL_IN_PROGRESS(509), Installing Host hostan. Stage: Misc configuration.
irector] (VdsDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] EVENT_ID: VDS_INSTALL_IN_PROGRESS(509), Installing Host hostan. Enrolling certificate.
irector] (VdsDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] EVENT_ID: VDS_INSTALL_IN_PROGRESS(509), Installing Host hostan. Enrolling serial console certificate.
sDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] Sign Certificate request failed with exit code 1
sDeploy) [f0c1bffe-1505-4f7b-ad78-5933fedb27b2] Sign Certificate request script errors:


/a_int.c:154:
:crypto/asn1/tasn_dec.c:609:Field=version, Type=X509_REQ_INFO
:crypto/asn1/tasn_dec.c:609:Field=req_info, Type=X509_REQ

Expected results:
Should succeed


Additional info:
[1] - https://gitlab.com/m2crypto/m2crypto/merge_requests/98
Comment 1 Benny Zlotnik 2017-07-14 12:16:21 EDT
Note: I am probably wrong about the product/component/team, please move this to the relevant people
Comment 2 Sandro Bonazzola 2017-07-17 06:02:02 EDT
We're planning to remove m2crypto dependency in 4.2 so it should solve this issue as side effect.
If you already dropped m2crypto in your local system I'd like to ask you contributing a patch to ovirt-host-deploy speeding up the process fixing this issue.
Comment 3 Benny Zlotnik 2017-07-17 07:10:25 EDT
I've submitted a patch

Note You need to log in before you can comment on or make changes to this bug.