Bug 1686445 - hosted-engine deploy (restore-from-file) fails if certificates are not up to date in backup file.
Summary: hosted-engine deploy (restore-from-file) fails if certificates are not up to ...
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-hosted-engine-setup
Version: 4.2.8-3
Hardware: Unspecified
OS: Unspecified
Target Milestone: ovirt-4.3.3
: 4.3.0
Assignee: Simone Tiraboschi
QA Contact: Nikolai Sednev
Depends On: 1699913
TreeView+ depends on / blocked
Reported: 2019-03-07 13:31 UTC by Ameya Charekar
Modified: 2020-08-03 15:29 UTC (History)
5 users (show)

Fixed In Version: ovirt-hosted-engine-setup-2.3.7
Doc Type: If docs needed, set a value
Doc Text:
This bug fix allows the restore-from-file command to execute even if a certificate is not current or is expiring soon. If an error message persists while executing the command, one workaround is to renew the certificates at restore time prior to executing the command to restore-from-file.
Clone Of:
Last Closed: 2019-05-08 12:32:05 UTC
oVirt Team: Integration
Target Upstream Version:
lsvaty: testing_plan_complete-

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github oVirt ovirt-ansible-hosted-engine-setup pull 140 0 None closed Manage PKI renew on restore 2021-01-01 03:15:03 UTC
Red Hat Product Errata RHEA-2019:1050 0 None None None 2019-05-08 12:32:06 UTC
oVirt gerrit 98513 0 master MERGED restore: ask for PKI renewal 2021-01-01 03:15:03 UTC
oVirt gerrit 98525 0 ovirt-hosted-engine-setup-2.3 MERGED restore: ask for PKI renewal 2021-01-01 03:15:06 UTC

Description Ameya Charekar 2019-03-07 13:31:51 UTC
Description of problem:

The hosted-engine deploy (restore-from-file) fails, when engine-backup file does not have renewed certificates as engine-setup fails in "PKI CONFIGURATION":-

        "          --== PKI CONFIGURATION ==--",
        "         ",
        "          One or more of the certificates should be renewed, because they expire soon, or include an invalid expiry date, or do not include the subjectAltName extension, which can cause them to be rejected by recent browsers and up to date hosts.",
        "          See https://access.redhat.com/solutions/1572983 for more details.",
        "          Renew certificates? (Yes, No) [No]: ",
        "          Are you really sure that you want to skip the PKI renewal process?",
        "          Please notice that recent openssl and gnutls upgrades can lead hosts refusing this CA cert making them unusable.",
        "          If you choose \"Yes\", setup will continue and you will be asked again the next time you run this Setup. Otherwise, this process will abort and you will be expected to plan a proper upgrade according to https://access.redhat.com/solutions/1572983.",
        "          Skip PKI renewal process? (Yes, No) [No]: ",
        "[ ERROR ] Failed to execute stage 'Environment customization': Aborted by user",
        "[ INFO  ] Stage: Clean up",
        "          Log file is located at /var/log/ovirt-engine/setup/ovirt-engine-setup-20190228225058-gmnhe4.log",
        "[ INFO  ] Generating answer file '/var/lib/ovirt-engine/setup/answers/20190228225101-setup.conf'",
        "[ INFO  ] Stage: Pre-termination",
        "[ INFO  ] Stage: Termination",
        "[ ERROR ] Execution of setup failed"

Version-Release number of selected component (if applicable):
RHV 4.2.8-3

How reproducible:

Steps to Reproduce:
1. Have a backup_file without renewed certificates.
2. hosted-engine --deploy --restore-from-file=backup/file_name
3. deployment fails

Actual results:
Deployment fails.

Expected results:
Deployment should be successful.

Additional info:
Workaround is to renew certificates before collecting backup file with engine-backup.

Comment 3 Yedidyah Bar David 2019-03-31 08:59:37 UTC
See also bug 1688184. Users should already be notified.

Comment 4 Nikolai Sednev 2019-04-16 21:41:52 UTC
During restore I saw appropriate message as follows:
Renew engine CA on restore if needed? Please notice that if you choose Yes, all hosts will have to be later manually reinstalled from the engine. (Yes, No)[No]: 
I continued with "No" option and restore got finished just fine.
Host had manually set date to later than appeared within the CA certificate in the engine's backup.

Tested using these components:
Linux 3.10.0-957.10.1.el7.x86_64 #1 SMP Thu Feb 7 07:12:53 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Red Hat Enterprise Linux Server release 7.6 (Maipo)

Moving to verified.

Comment 6 errata-xmlrpc 2019-05-08 12:32:05 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Comment 7 Daniel Gur 2019-08-28 13:14:15 UTC

Comment 8 Daniel Gur 2019-08-28 13:19:17 UTC

Note You need to log in before you can comment on or make changes to this bug.