Description of problem: An expired 'vmconsole-proxy-helper.cer' is not renewed with `engine-setup`. Version-Release number of selected component (if applicable): RHV 4.x How reproducible: 100% Additional info: Manual renewal of this certificate with `pki-enroll-pkcs12.sh` requires these 2 extra parameters: "--ku=digitalSignature --eku=1.3.6.1.4.1.2312.13.1.2.1.1"
A workaround: # cd /etc/pki/ovirt-engine # rm ./keys/vmconsole-proxy-helper.p12 ./keys/vmconsole-proxy-helper.key.nopass ./certs/vmconsole-proxy-helper.cer # engine-setup --offline I consider not touching/using the renew code but instead do something like [1], but for the helper. I think it should be enough, and due to the need to handle EKU, much simpler. [1] https://gerrit.ovirt.org/c/ovirt-engine/+/108416
Milan, can you please have a look and/or take over? Thanks.
I'll look at it.
The current fix only renews vmconsole cert when the engine CA cert is newer than the vmconsole cert. Moving back to assigned for also renewing vmconsole cert when engine CA cert has longer expiration than vmconsole cert and the vmconsole cert has expired.
*** Bug 2077907 has been marked as a duplicate of this bug. ***
Verified with: ovirt-engine-4.5.0.5-0.7.el8ev.noarch Steps: 1. Update engine CA cert to make it newer than vmconsole-proxy-helper.cer, then run `engine-setup --offline` and check if vmconsole-proxy-helper.cer is refreshed. 2. Make vmconsole-proxy-helper.cer expire, but engine CA not expire, such as changing the system date, then run `engine-setup --offline` and check if vmconsole-proxy-helper.cer is refreshed. Results: 1. vmconsole-proxy-helper.cer is refreshed during engine-setup when the engine CA cert is updated. 2. vmconsole-proxy-helper.cer is refreshed during engine-setup when vmconsole-proxy-helper.cer is expired.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:4711
Due to QE capacity, we are not going to cover this issue in our automation
running engine-setup should give you the opportunity to update expired or expiring certificates. If you don't want to upgrade your system you can run it with the offline option on https://asmallworldcup.com