Description of problem: Need to test and fix what's needed for grafana on separate machine when PKI needs renew. Currently the code works only on the engine machine. This is enough for grafana if it's there (as it then uses apache, already handled), but not on a separate machine. Noting, that there is no need to add grafana to PKIEnv.ENTITIES, at least not for the case of engine+grafana on same machine. For separate, we probably need new code, so that won't be enough either. Version-Release number of selected component (if applicable): Current master How reproducible: Always Steps to Reproduce: 1. Setup grafana on a separate machine 2. Wait 5 years or so (or move the machine clock forward and disable ntp etc.) 3. engine-setup 4. Connect a browser to grafana Actual results: Nothing special happens - eventually the certificate expires and browsers start complaining Expected results: Probably engine-setup should check, prompt, allow renewing Additional info: This will soon become more urgent, because newer browsers require shorter lifespans, see bug 1824103.
Workaround: 1. Remove/rename all of these files: /etc/pki/ovirt-engine/apache-grafana-ca.pem /etc/pki/ovirt-engine/apache-ca.pem /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache-grafana.key.nopass /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache-grafana.cer 2. Run engine-setup It will notice that the files are missing, prompt you for needed stuff, and generate new ones.
Verified in ovirt-engine-4.4.7.6-0.11.el8ev.noarch ovirt-engine-dwh-4.4.7.3-1.el8ev.noarch Verified with grafana installed on a separate machine. Then I used workaround in comment 1 to invalidate the certificates (I deleted all the certs and keys files) and ran engine-setup again. It re-created all the necessary files again.
This bugzilla is included in oVirt 4.4.7 release, published on July 6th 2021. Since the problem described in this bug report should be resolved in oVirt 4.4.7 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.