Description of problem: "Enroll Certificate" operation not updating libvirt-vnc cert and key Version-Release number of selected component (if applicable): rhvm-4.4.9.5 How reproducible: Always Steps to Reproduce: 1. Do "Enroll Certificate" from RHV Manager GUI and check validity of certs 2. Check certs validity on Host # openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem -noout -dates # openssl x509 -in /etc/pki/vdsm/libvirt-spice/server-cert.pem -noout -dates # openssl x509 -in /etc/pki/libvirt/clientcert.pem -noout -dates -- Only VNC server certs not updated # openssl x509 -in /etc/pki/vdsm/libvirt-vnc/server-cert.pem -noout -dates Actual results: libvirt-vnc/server-cert.pem not getting updated Expected results: libvirt-vnc/server-cert.pem should get updated like other certs Additional info: After enrolling certs also we might end up with following error as vnc certs not getting updated. Exit message: internal error: process exited while connecting to monitor: 2022-02-17T10:38:49.781518Z qemu-kvm: -object tls-creds-x509,id=vnc-tls-creds0,dir=/etc/pki/vdsm/libvirt-vnc,endpoint=server,verify-peer=no: The server certificate /etc/pki/vdsm/libvirt-vnc/server-cert.pem has expired.
Hi, We are affected by this bug as our libvirt-vnc certificate has expired. We can no longer start/migrate VM's on these hosts. Are there any instructions on how to manually update these certificates until this issue is resolved? Regards, Rik
Rik, If only vnc certs affected. Following steps should help Please run following command to on Host to renew VNC certs. # TIMESTAMP=$(date +%Y%m%d%H%M%S) # mv -v /etc/pki/vdsm/libvirt-vnc/server-cert.pem etc/pki/vdsm/libvirt-vnc/server-cert.pem.$TIMESTAMP # mv -v /etc/pki/vdsm/libvirt-vnc/server-key.pem etc/pki/vdsm/libvirt-vnc/server-key.pem.$TIMESTAMP # cp -v /etc/pki/vdsm/libvirt-spice/server-cert.pem /etc/pki/vdsm/libvirt-vnc/server-cert.pem # cp -v /etc/pki/vdsm/libvirt-spice/server-key.pem /etc/pki/vdsm/libvirt-vnc/server-key.pem
Hi, (In reply to nsurati from comment #3) > > If only vnc certs affected. Following steps should help > I used this workaround (using a symlink instead of copying the file) to make sure I can start/migrate VM's again, but it seems the VNC console no longer works. Which is strange as I don't see any specific settings in the original cert and they seem signed by the same CA, so I'm not sure if this problem existed before. Regards, Rik
(In reply to Rik Theys from comment #4) > Hi, > > (In reply to nsurati from comment #3) > > > > If only vnc certs affected. Following steps should help > > > > I used this workaround (using a symlink instead of copying the file) to make > sure I can start/migrate VM's again, but it seems the VNC console no longer > works. > > Which is strange as I don't see any specific settings in the original cert > and they seem signed by the same CA, so I'm not sure if this problem existed > before. > > Regards, > Rik You can try couple of things to conclude. - Restart vdsmd and libvirtd service ( Note: Power Management Host should be disable while restarting ) - shutdown and then start the VM. OR just try to create new VM and take console.
Verified on Software Version:4.5.0.5-0.7.el8ev Enroll Certificate updated also server-cert.pem on host machine
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:4711
Due to QE capacity, we are not going to cover this issue in our automation