Description of problem:
The hosted-engine deploy (restore-from-file) fails, when engine-backup file does not have renewed certificates as engine-setup fails in "PKI CONFIGURATION":-
" --== PKI CONFIGURATION ==--",
" One or more of the certificates should be renewed, because they expire soon, or include an invalid expiry date, or do not include the subjectAltName extension, which can cause them to be rejected by recent browsers and up to date hosts.",
" See https://access.redhat.com/solutions/1572983 for more details.",
" Renew certificates? (Yes, No) [No]: ",
" Are you really sure that you want to skip the PKI renewal process?",
" Please notice that recent openssl and gnutls upgrades can lead hosts refusing this CA cert making them unusable.",
" If you choose \"Yes\", setup will continue and you will be asked again the next time you run this Setup. Otherwise, this process will abort and you will be expected to plan a proper upgrade according to https://access.redhat.com/solutions/1572983.",
" Skip PKI renewal process? (Yes, No) [No]: ",
"[ ERROR ] Failed to execute stage 'Environment customization': Aborted by user",
"[ INFO ] Stage: Clean up",
" Log file is located at /var/log/ovirt-engine/setup/ovirt-engine-setup-20190228225058-gmnhe4.log",
"[ INFO ] Generating answer file '/var/lib/ovirt-engine/setup/answers/20190228225101-setup.conf'",
"[ INFO ] Stage: Pre-termination",
"[ INFO ] Stage: Termination",
"[ ERROR ] Execution of setup failed"
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Have a backup_file without renewed certificates.
2. hosted-engine --deploy --restore-from-file=backup/file_name
3. deployment fails
Deployment should be successful.
Workaround is to renew certificates before collecting backup file with engine-backup.
See also bug 1688184. Users should already be notified.
During restore I saw appropriate message as follows:
Renew engine CA on restore if needed? Please notice that if you choose Yes, all hosts will have to be later manually reinstalled from the engine. (Yes, No)[No]:
I continued with "No" option and restore got finished just fine.
Host had manually set date to later than appeared within the CA certificate in the engine's backup.
Tested using these components:
Linux 3.10.0-957.10.1.el7.x86_64 #1 SMP Thu Feb 7 07:12:53 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Red Hat Enterprise Linux Server release 7.6 (Maipo)
Moving to verified.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.