1848095 – [RFE] Collect information about RHV PKI

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1848095 - [RFE] Collect information about RHV PKI

Summary: [RFE] Collect information about RHV PKI

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Deadline:	2020-07-31
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	sos
Sub Component:
Version:	8.4
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.4
Assignee:	Pavel Moravec
QA Contact:	Miroslav Hradílek
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	902971 1845877
TreeView+	depends on / blocked

Reported:	2020-06-17 16:47 UTC by Sandro Bonazzola
Modified:	2021-05-18 14:48 UTC (History)
CC List:	13 users (show)
Fixed In Version:	sos-4.0-3.el8
Doc Type:	Enhancement
Doc Text:
Clone Of:	1845877
Environment:
Last Closed:	2021-05-18 14:47:21 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	sosreport sos issues 2121	None	closed	Not all the vdsm certificates are included	2021-02-04 15:32:26 UTC
Github	sosreport sos issues 2122	None	closed	oVirt engine truststores are not included within the sosreport	2021-02-04 15:32:26 UTC
Github	sosreport sos pull 2297	None	closed	[ovirt] collect /etc/pki/ovirt-engine/.truststore	2021-02-04 15:32:26 UTC

Comment 3 Pavel Moravec 2020-06-18 08:48:17 UTC

1) To settle down specification (that seems bit unclear for me):
- sos should collect "/etc/pki/ovirt-engine/.truststore" as - despite a truststore contains SSL keys be default - this contains ovirt-engine CA certificate only (and is it really safe to be shared this from a customer?)
- it should collect whole '/etc/pki/vdsm/', not only '/etc/pki/vdsm/certs/'

First fully covers #Engine, second covers # Host requirements.



2) "Deadline: 	2020-07-31" - I hope this is was added just from BZ clone and it is not required?



3) Is RHEL8.4 sufficient target release? And no RHEL7? (I expect so, and that will be trivial to fulfil, anything else might not be easy)

Comment 4 Pavel Moravec 2020-06-18 08:49:35 UTC

Forgot to ask:

Can't '/etc/pki/vdsm/' contain some sensitive information (SSL keys or their passwords or similar) that we must skip in collection?

Comment 5 Miguel Martin 2020-06-18 10:47:26 UTC

(In reply to Pavel Moravec from comment #3)
> 1) To settle down specification (that seems bit unclear for me):
> - sos should collect "/etc/pki/ovirt-engine/.truststore" as - despite a
> truststore contains SSL keys be default - this contains ovirt-engine CA
> certificate only (and is it really safe to be shared this from a customer?)

Truststores are not supposed to contain any private keys, only CA certificates. When a JKS (Java Key Store) file contains private keys is referred as 'keystore' not 'truststore'
In the end the file format is exactly the same but this convention exists in java world AFAIK. 

> - it should collect whole '/etc/pki/vdsm/', not only '/etc/pki/vdsm/certs/'
> 
> First fully covers #Engine, second covers # Host requirements.

Yes, we would like to get all the certificates used by libvirt also.

> 
> 
> 
> 2) "Deadline: 	2020-07-31" - I hope this is was added just from BZ clone and
> it is not required?
> 
> 
> 
> 3) Is RHEL8.4 sufficient target release? And no RHEL7? (I expect so, and
> that will be trivial to fulfil, anything else might not be easy)

It would be great to have this backported alongside the "ovirt_engine_backup" plugin if possible.

>Forgot to ask:
>Can't '/etc/pki/vdsm/' contain some sensitive information (SSL keys or their passwords or similar) that we must skip in collection?

Al the sensitive data is already excluded in the upstream PR

Comment 6 Sandro Bonazzola 2020-06-26 08:06:37 UTC

(In reply to Pavel Moravec from comment #3)
> 1) To settle down specification (that seems bit unclear for me):
> - sos should collect "/etc/pki/ovirt-engine/.truststore" as - despite a
> truststore contains SSL keys be default - this contains ovirt-engine CA
> certificate only (and is it really safe to be shared this from a customer?)
> - it should collect whole '/etc/pki/vdsm/', not only '/etc/pki/vdsm/certs/'
> 
> First fully covers #Engine, second covers # Host requirements.

Already answered by Miguel Martin


> 2) "Deadline: 	2020-07-31" - I hope this is was added just from BZ clone and
> it is not required?

Yes, came from the bug cloning


> 3) Is RHEL8.4 sufficient target release? And no RHEL7? (I expect so, and
> that will be trivial to fulfil, anything else might not be easy)

Already answered by Miguel Martin

Comment 7 Sandro Bonazzola 2020-09-02 13:00:57 UTC

I see fixes got in upstream, will this bug make it for RHEL 8.3?

Comment 8 Pavel Moravec 2020-09-03 15:39:09 UTC

(In reply to Sandro Bonazzola from comment #7)
> I see fixes got in upstream, will this bug make it for RHEL 8.3?

Nope /o\. Scope of 8.3 is closed already, this isn't in (neither in sos-3.9 we rebase to in RHEL8.3, or as a separate patch above it). Planned to 8.4 where it should appear "gratis" due to planned rebase to sos-4.0.

Comment 10 Pavel Moravec 2020-10-29 11:57:33 UTC

Hello,
can you please verify the bug against below build (not sure if QE will have capacity to verify this by themselves)? Thanks in advance.


A yum repository for the build of sos-4.0-2.el8 (task 32548242) is available at:

http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/2.el8/

You can install the rpms locally by putting this .repo file in your /etc/yum.repos.d/ directory:

http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/2.el8/sos-4.0-2.el8.repo

RPMs and build logs can be found in the following locations:
http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/2.el8/noarch/

The full list of available rpms is:
http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/2.el8/noarch/sos-4.0-2.el8.src.rpm
http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/2.el8/noarch/sos-4.0-2.el8.noarch.rpm
http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/2.el8/noarch/sos-audit-4.0-2.el8.noarch.rpm

The repository will be available for the next 60 days. Scratch build output will be deleted
earlier, based on the Brew scratch build retention policy.

Comment 11 Juan Orti 2020-11-04 10:33:49 UTC

I tested sos-4.0-2.el8.noarch in RHV 4.4 and found a couple of issues:

I don't know why, but in the host I had a 'libvirt-vnc' dir inside /etc/pki/vdsm/libvirt-vnc, this could be a bug in RHV. Anyway, inside there is a server-key.pem file and I checked that the private key is visible.

~~~
# tar tvf /var/tmp/sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq.tar.xz | egrep '/etc/pki|truststore'
drwxr-xr-x root/root                 0 2020-11-04 09:42 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/
drwxr-xr-x root/root                 0 2020-09-29 23:55 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/nssdb/
-rw-r--r-- root/root               451 2020-07-31 01:46 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/nssdb/pkcs11.txt
drwxr-xr-x root/root                 0 2020-09-29 23:48 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/tls/
-rw-r--r-- root/root             11225 2020-03-05 11:01 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/tls/openssl.cnf
drwxr-xr-x root/root                 0 2020-11-04 09:42 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/
drwxr-xr-x root/root                 0 2020-11-04 09:43 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-spice/
-rw-r--r-- root/kvm               1372 2020-07-17 08:36 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-spice/ca-cert.pem
-rw-r--r-- root/kvm               5283 2020-11-04 09:34 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-spice/server-cert.pem
drwxr-xr-x root/root                 0 2020-11-04 09:43 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-vnc/
drwxr-xr-x root/root                 0 2020-07-17 08:41 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiqlibvirt-vnc/libvirt-vnc/
-rw-r--r-- root/root              5283 2020-07-17 08:37 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-vnc/libvirt-vnc/server-cert.pem
-rw-r--r-- root/root              1704 2020-07-17 08:36 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-vnc/libvirt-vnc/server-key.pem <----
-rw-r--r-- root/root              1372 2020-07-17 08:36 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-vnc/libvirt-vnc/ca-cert.pem
-rw-r--r-- root/root              5283 2020-11-04 09:42 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-vnc/server-cert.pem
-rw-r--r-- root/root              1372 2020-11-04 09:42 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-vnc/ca-cert.pem
drwxr-xr-x root/root                 0 2020-11-04 09:43 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/certs/
-rw-r--r-- root/kvm               1372 2020-07-17 08:36 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/certs/cacert.pem
-rw-r--r-- root/kvm               5283 2020-11-04 09:34 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/certs/vdsmcert.pem
drwxr-xr-x root/root                 0 2020-11-04 09:43 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-migrate/
-rw-r--r-- root/kvm               1432 2020-07-17 08:37 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-migrate/ca-cert.pem
-rw-r--r-- root/kvm               5374 2020-11-04 09:34 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/vdsm/libvirt-migrate/server-cert.pem
drwxr-xr-x root/root                 0 2020-11-04 09:43 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/consumer/
-rw-r----- root/root              2232 2020-07-16 10:18 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/consumer/cert.pem
drwxr-xr-x root/root                 0 2020-11-04 09:43 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/entitlement/
-rw-r--r-- root/root            147613 2020-11-04 08:52 sosreport-jorti-rhvh44-01-2020-11-04-vpfgqiq/etc/pki/entitlement/1419475447725441131.pem
~~~

In the manager I miss the /etc/pki/ovirt-engine/.truststore file which should contain only the public CA certificates:

# TRUSTSTORE_PASS="mypass" keytool -list -storepass:env TRUSTSTORE_PASS -keystore /etc/pki/ovirt-engine/.truststore
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

cacert, Nov 4, 2020, trustedCertEntry, 
Certificate fingerprint (SHA1): 8D:1C:FC:FF:E4:F9:16:21:57:13:A3:ED:96:F0:B2:DD:68:7E:EA:55
qemu-cacert, Nov 4, 2020, trustedCertEntry, 
Certificate fingerprint (SHA1): 75:23:2A:2F:1D:D5:B4:64:0B:1E:2F:28:FF:88:9C:91:D2:1C:54:6E


~~~
# tar tvf /var/tmp/sosreport-jorti-rhvm44-2020-11-04-ttfacbs.tar.xz | egrep '/etc/pki|truststore'
drwxr-xr-x root/root         0 2020-04-23 08:25 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/
drwxr-xr-x root/root         0 2020-11-04 09:14 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ca-trust/
drwxr-xr-x root/root         0 2020-11-04 09:14 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ca-trust/extracted/
drwxr-xr-x root/root         0 2020-11-04 09:24 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ca-trust/extracted/java/
-r--r--r-- root/root    157499 2020-11-04 09:24 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ca-trust/extracted/java/cacerts
drwxr-xr-x root/root         0 2020-11-04 09:14 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/java/
lr--r--r-- root/root         0 2020-11-04 09:24 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/java/cacerts -> ../ca-trust/extracted/java/cacerts
drwxr-xr-x root/root         0 2020-11-04 09:14 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/tls/
-rw-r--r-- root/root     11225 2020-07-20 15:07 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/tls/openssl.cnf
drwxr-xr-x root/root         0 2020-11-04 10:59 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/
drwxr-xr-x root/root         0 2020-11-04 10:59 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/
-rw-r--r-- root/root      5149 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/vmconsole-proxy-user.cer
-rw-r--r-- root/root      5085 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/100B.pem
-rw-r--r-- ovirt/ovirt    1433 2020-11-04 10:59 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-02.nested.lab-ssh-cert.pub
-rw-r--r-- root/root      5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1006.pem
-rw-r--r-- root/root      1868 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/imageio-proxy.cer
-rw-r--r-- root/root       381 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/vmconsole-proxy-user.pub
-rw-r--r-- root/root      5149 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/vmconsole-proxy-host.cer
-rw-r--r-- root/root      1868 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/ovn-ndb.cer
-rw-r--r-- root/root      5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1001.pem
-rw-r--r-- root/root      1436 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/100A.pem
-rw-r--r-- ovirt/ovirt    5283 2020-11-04 09:33 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1014.pem
-rw-r--r-- root/root      1375 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1000.pem
-rw-r--r-- root/root      5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/imageio-proxy.cer.20200717081849
-rw-r--r-- root/root      1403 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/vmconsole-proxy-host-cert.pub
-rw-r--r-- ovirt/ovirt    1425 2020-07-17 08:41 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-01.nested.lab-ssh-cert.pub.20201104093439
-rw-r--r-- root/root      1868 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/ovn-sdb.cer
-rw-r--r-- root/root      5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/apache.cer.20200717081848
-rw-r--r-- ovirt/ovirt    5137 2020-07-17 08:41 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-01.nested.lab-ssh.cer.20201104093439
-rw-r--r-- ovirt/ovirt     381 2020-11-04 10:59 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-02.nested.lab-ssh.pub
-rw-r--r-- root/root      5085 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/vmconsole-proxy-helper.cer
-rw-r--r-- root/root      5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1003.pem
-rw-r--r-- root/root      5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/ovn-sdb.cer.20200717081851
-rw-r--r-- ovirt/ovirt    5283 2020-07-17 08:36 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-01.nested.lab.cer.20201104093342
-rw-r--r-- root/root      5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/websocket-proxy.cer.20200717081847
-rw-r--r-- ovirt/ovirt    5283 2020-07-17 08:36 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/100E.pem
-rw-r--r-- root/root      5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1008.pem
-rw-r--r-- root/root      5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1007.pem
-rw-r--r-- ovirt/ovirt    5374 2020-07-17 09:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1012.pem
-rw-r--r-- ovirt/ovirt    5283 2020-11-04 09:33 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-01.nested.lab.cer
-rw-r--r-- root/root      5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1005.pem
-rw-r--r-- root/root      5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1004.pem
-rw-r--r-- ovirt/ovirt    1433 2020-11-04 09:34 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-01.nested.lab-ssh-cert.pub
-rw-r--r-- root/root      1868 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/websocket-proxy.cer
-rw-r--r-- root/root      5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1002.pem
-rw-r--r-- root/root      5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/engine.cer
-rw-r--r-- root/root      5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jboss.cer
-rw-r--r-- root/root      5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1009.pem
-rw-r--r-- ovirt/ovirt    5137 2020-11-04 09:34 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-01.nested.lab-ssh.cer
-rw-r--r-- ovirt/ovirt    5283 2020-11-04 10:58 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-02.nested.lab.cer
-rw-r--r-- ovirt/ovirt    5283 2020-07-17 09:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1011.pem
-rw-r--r-- root/root      1375 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/ca.der
-rw-r--r-- ovirt/ovirt    5137 2020-07-17 09:21 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1013.pem
-rw-r--r-- root/root      1868 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/ovirt-provider-ovn.cer
-rw-r--r-- ovirt/ovirt     381 2020-07-17 08:41 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-01.nested.lab-ssh.pub.20201104093439
-rw-r--r-- root/root      5149 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/100D.pem
-rw-r--r-- ovirt/ovirt     381 2020-11-04 09:34 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-01.nested.lab-ssh.pub
-rw-r--r-- root/root      1436 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/qemu-ca.der
-rw-r--r-- ovirt/ovirt    5374 2020-07-17 08:36 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/100F.pem
-rw-r--r-- root/root      1423 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/vmconsole-proxy-user-cert.pub
-rw-r--r-- root/root      5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/ovn-ndb.cer.20200717081850
-rw-r--r-- root/root      1868 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/reports.cer
-rw-r--r-- root/root      1868 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/apache.cer
-rw-r--r-- ovirt/ovirt    5137 2020-11-04 09:34 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1016.pem
-rw-r--r-- root/root       381 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/vmconsole-proxy-host.pub
-rw-r--r-- root/root      5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/ovirt-provider-ovn.cer.20200717081852
-rw-r--r-- root/root      5278 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/reports.cer.20200717081849
-rw-r--r-- root/root      5149 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/100C.pem
-rw-r--r-- ovirt/ovirt    5137 2020-07-17 08:41 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1010.pem
-rw-r--r-- ovirt/ovirt    5374 2020-11-04 09:33 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/1015.pem
-rw-r--r-- ovirt/ovirt    5137 2020-11-04 10:59 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs/jorti-rhvh44-02.nested.lab-ssh.cer
-rw-r--r-- root/root      1375 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/ca.pem
drwxr-xr-x root/root         0 2020-11-04 10:59 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/
-rw-r--r-- root/root       863 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/ca.csr
-rw-r--r-- root/root       863 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/engine.req
-rw-r--r-- root/root       863 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/jboss.req
-rw-r--r-- root/root       863 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/websocket-proxy.req
-rw-r--r-- root/root       863 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/apache.req
-rw-r--r-- root/root       863 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/reports.req
-rw-r--r-- root/root       863 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/imageio-proxy.req
-rw-r--r-- root/root       863 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/ovn-ndb.req
-rw-r--r-- root/root       863 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/ovn-sdb.req
-rw-r--r-- root/root       863 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/ovirt-provider-ovn.req
-rw-r--r-- root/root       863 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/qemu-ca.csr
-rw-r--r-- root/root       863 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/vmconsole-proxy-helper.req
-rw-r--r-- root/root       863 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/vmconsole-proxy-user.req
-rw-r--r-- root/root       863 2020-07-17 08:20 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/vmconsole-proxy-host.req
-rw-r--r-- ovirt/ovirt     862 2020-11-04 09:33 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/jorti-rhvh44-01.nested.lab.req
-rw-r--r-- ovirt/ovirt     862 2020-11-04 09:34 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/jorti-rhvh44-01.nested.lab-ssh.req
-rw-r--r-- ovirt/ovirt     862 2020-11-04 10:58 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/jorti-rhvh44-02.nested.lab.req
-rw-r--r-- ovirt/ovirt     862 2020-11-04 10:59 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests/jorti-rhvh44-02.nested.lab-ssh.req
-rw-r--r-- ovirt/ovirt       5 2020-11-04 10:58 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/serial.txt.old
-rw-r--r-- ovirt/ovirt    1998 2020-11-04 10:59 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/database.txt
-rw-r--r-- root/root       384 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/cacert.template
drwxr-xr-x root/root         0 2020-11-04 10:58 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests-qemu/
-rw-r--r-- ovirt/ovirt     862 2020-11-04 10:58 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests-qemu/jorti-rhvh44-02.nested.lab.req
-rw-r--r-- ovirt/ovirt     862 2020-11-04 09:33 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/requests-qemu/jorti-rhvh44-01.nested.lab.req
-rw-r--r-- root/root       384 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/cacert.conf
-rw-r--r-- ovirt/ovirt       5 2020-11-04 10:59 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/serial.txt
drwxr-xr-x root/root         0 2020-11-04 10:58 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs-qemu/
-rw-r--r-- ovirt/ovirt    5374 2020-11-04 09:33 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs-qemu/jorti-rhvh44-01.nested.lab.cer
-rw-r--r-- ovirt/ovirt    5374 2020-11-04 10:58 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs-qemu/jorti-rhvh44-02.nested.lab.cer
-rw-r--r-- ovirt/ovirt    5374 2020-07-17 08:36 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs-qemu/jorti-rhvh44-01.nested.lab.cer.20201104093342
-rw-r--r-- ovirt/ovirt    5374 2020-07-17 09:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/certs-qemu/jorti-rhvh44-02.nested.lab.cer.20201104105839
-rw-r--r-- root/root      1436 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/qemu-ca.pem
-rw-r--r-- root/root      1489 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/cert.conf
-rw-r--r-- ovirt/ovirt      20 2020-11-04 10:58 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/database.txt.attr.old
-rw-r--r-- root/root      1156 2020-09-14 17:43 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/cert.template.in
-rw-r--r-- root/root       550 2020-09-14 17:43 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/openssl.conf
-rw-r--r-- root/root       384 2020-09-14 17:43 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/cacert.template.in
lrw-r--r-- root/root         0 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/apache-ca.pem -> ca.pem
-rw-r--r-- ovirt/ovirt    1924 2020-11-04 10:58 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/database.txt.old
-rw-r--r-- ovirt/ovirt      20 2020-11-04 10:59 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/database.txt.attr
-rw-r--r-- root/root      1489 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/cert.template
-rw-r--r-- root/root      1474 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/ovirt-engine/cert.template.20200717081852
drwxr-xr-x root/root         0 2020-09-10 14:28 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/entitlement/
-rw-r--r-- root/root    147605 2020-11-04 08:52 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/entitlement/4376307980454443213.pem
drwxr-xr-x root/root         0 2020-11-04 09:28 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/product/
-rw-r--r-- root/root      2171 2020-11-04 08:54 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/product/479.pem
-rw-r--r-- root/root      2139 2020-11-04 09:28 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/product/408.pem
-rw-r--r-- root/root      2155 2020-11-04 09:28 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/product/329.pem
-rw-r--r-- root/root      2147 2020-11-04 08:54 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/product/415.pem
-rw-r--r-- root/root      2167 2020-11-04 09:28 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/product/183.pem
drwxr-xr-x root/root         0 2020-09-10 14:28 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/consumer/
-rw-r----- root/root      2228 2020-07-17 09:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/etc/pki/consumer/cert.pem
-rw-r--r-- root/root             1048 2020-07-17 08:18 sosreport-jorti-rhvm44-2020-11-04-ttfacbs/var/lib/ovirt-engine/external_truststore
~~~

Comment 12 Pavel Moravec 2020-11-06 11:03:47 UTC

Hello,
thanks a lot for the check!


/etc/pki/vdsm/libvirt-vnc/libvirt-vnc/server-key.pem : No searching found such a dir / file to exist, and some virt SME confirms all cert files hsould be in /etc/pki/vdsm/libvirt-vnc directory. And there we do skip collecting that file:

sos/report/plugins/vdsm.py:        self.add_forbidden_path('/etc/pki/vdsm/*/*-key.*')



/etc/pki/ovirt-engine/.truststore : interesting, sosreport skips hidden files, https://github.com/sosreport/sos/issues/2296 raised. 


I am checking if the #2296 is worth backporting still to 8.4 or not..

Comment 13 Pavel Moravec 2020-11-06 20:40:05 UTC

Hello,
if I would add the PR https://github.com/sosreport/sos/pull/2297 "collect .truststore file", would you be able to verify it in the next rpm package candidate version (together with previous check if nothing else is missing), please?

Comment 14 Juan Orti 2020-11-10 07:51:28 UTC

Sure, if you provide the rpm I'll test it.

Comment 18 Pavel Moravec 2020-12-15 08:14:19 UTC

(In reply to Juan Orti Alcaine from comment #14)
> Sure, if you provide the rpm I'll test it.

Hello, thanks for the offer. Could you please verify the bug against below build? Thanks in advance.


A yum repository for the build of sos-4.0-3.el8 (task 33745106) is available at:

http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/3.el8/

You can install the rpms locally by putting this .repo file in your /etc/yum.repos.d/ directory:

http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/3.el8/sos-4.0-3.el8.repo

RPMs and build logs can be found in the following locations:
http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/3.el8/noarch/

The full list of available rpms is:
http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/3.el8/noarch/sos-4.0-3.el8.src.rpm
http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/3.el8/noarch/sos-4.0-3.el8.noarch.rpm
http://brew-task-repos.usersys.redhat.com/repos/official/sos/4.0/3.el8/noarch/sos-audit-4.0-3.el8.noarch.rpm

The repository will be available for the next 60 days.

Comment 19 Juan Orti 2020-12-21 09:18:48 UTC

The dot files are included now and I don't see any private key, so it looks good to me.

Package versions tested:
sos-4.0-3.el8.noarch
sos-audit-4.0-3.el8.noarch

Comment 23 errata-xmlrpc 2021-05-18 14:47:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sos bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2021:1604

Note You need to log in before you can comment on or make changes to this bug.