Description of problem: When running engine-setup it should detect if a certificate has a to long validity that would cause it to be rejected by modern brosers. Version-Release number of selected component (if applicable): ovirt-engine-setup-base-4.4.3.12-0.1.el8ev.noarch How reproducible: Always Steps to Reproduce: Conditions: cluster in global maintenance engine and other certificates have a validity longer than 397 days 1. run engine-setup 2. accept default answers everywhere. Actual results: snegine-setup does not offer to renew the certificates. setup runs without issues, but without offering to replace certificates. Expected results: setup runs without issues, and offers to replace the certificates. Additional info: See https://access.redhat.com/solutions/2985561 where it is suggested that engine-setup should be doing this.
engine-setup regenerates engine and CA certificate only if: 1. The CA or engine certificate is expired 2. engine certificate has invalid SAN record If customers are upgrading from previous installation, we are not considering renewal of certificates which were created with longer validity period than 398 days (more info in BZ1824103). Anyway for production environments it's highly recommended to replace default RHV Manager HTTPS certificate with custom certificate signed by proper certication authority as described in https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_CA_Certificate
OK, reopening after offline discussion
Verified on ovirt-engine-setup-4.4.5.7-0.1.el8ev.noarch As per hitting this question during upgrade I guess it should have been ON_QA some time ago.
This bugzilla is included in oVirt 4.4.5 release, published on March 18th 2021. Since the problem described in this bug report should be resolved in oVirt 4.4.5 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.