Bug 2066084 - vmconsole-proxy-user certificate expired - cannot access serial console
Summary: vmconsole-proxy-user certificate expired - cannot access serial console
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.4.9
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ovirt-4.5.0-1
: 4.5.0
Assignee: Milan Zamazal
QA Contact: Qin Yuan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-03-20 15:32 UTC by nsurati
Modified: 2022-08-18 10:16 UTC (History)
8 users (show)

Fixed In Version: ovirt-engine-4.5.0.7
Doc Type: Bug Fix
Doc Text:
Previously, the vmconsole-proxy-user and vmconsole-proxy-host certificates were not renewed when needed. With this release, the certificates are now renewed when executing engine-setup.
Clone Of:
Environment:
Last Closed: 2022-05-26 16:23:55 UTC
oVirt Team: Virt
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github oVirt ovirt-engine pull 339 0 None open certificates: Make sure vmconsole ssh keys are refreshed if needed 2022-05-06 11:28:29 UTC
Github oVirt ovirt-engine pull 347 0 None open Backport CA and certificate fixes to 4.5.0.z 2022-05-09 14:11:21 UTC
Red Hat Issue Tracker RHV-45364 0 None None None 2022-03-20 15:32:46 UTC
Red Hat Knowledge Base (Solution) 6838231 0 None None None 2022-03-23 17:23:50 UTC
Red Hat Product Errata RHSA-2022:4711 0 None None None 2022-05-26 16:24:06 UTC

Description nsurati 2022-03-20 15:32:29 UTC 
Description of problem:

No automatic renew of vmconsole-proxy-user or vmconsole-proxy-host certs on RHV Manager machine

Version-Release number of selected component (if applicable):

RHV 4.x

How reproducible:

Always

Steps to Reproduce:

1. Run # engine-setup --offline

2. Check certs on RHV Manager machine 

# cd /etc/pki/ovirt-vmconsole/ 

# ssh-keygen -L -f vmconsole-proxy-user-cert.pub

# ssh-keygen -L -f proxy-ssh_host_rsa-cert.pub 

Actual results:

Certs not getting renew

Expected results:

All Certs should get renew while running # engine-setup --offline

Additional info:

Helper certs also not updating refer: https://bugzilla.redhat.com/show_bug.cgi?id=1988496
Comment 2 Arik 2022-03-21 12:25:17 UTC 
Most probably a duplicate of bz 1988496
Comment 7 Qin Yuan 2022-04-22 02:58:57 UTC 
The current fix only renews vmconsole cert when the engine CA cert is newer than the vmconsole cert.

Moving back to assigned for also renewing vmconsole cert when engine CA cert has longer expiration than vmconsole cert and the vmconsole cert has expired.
Comment 8 Milan Zamazal 2022-04-22 10:15:17 UTC 
This is different from Bug 1988496, because the problem here is that other certificates, such as vmconsole-proxy-user-cert.pub and proxy-ssh_host_rsa-cert.pub, are not checked and renewed.
Comment 9 Arik 2022-04-24 12:39:15 UTC 
(In reply to Milan Zamazal from comment #8)
> This is different from Bug 1988496, because the problem here is that other
> certificates, such as vmconsole-proxy-user-cert.pub and
> proxy-ssh_host_rsa-cert.pub, are not checked and renewed.

Ack, you're right, so moving to 4.5.1
Comment 14 Qin Yuan 2022-05-11 12:43:46 UTC 
Verified with:
ovirt-engine-4.5.0.7-0.9.el8ev.noarch

Steps:
1. Update engine CA cert to make it newer than vmconsole-proxy-user cert, run `engine-setup --offline`, check if all vmconsole-proxy-host/user certs and proxy-ssh_host/user certs are renewed.

2. Update system time to make vmconsole-proxy-user cert expire, but engine CA cert not expire, run `engine-setup --offline`, check if all vmconsole-proxy-host/user certs and proxy-ssh_host/user certs are renewed.

Results:
1. All vmconsole-proxy-host/user certs and proxy-ssh_host/user certs are renewed during engine-setup when engine CA cert is updated.
2. All vmconsole-proxy-host/user certs and proxy-ssh_host/user certs are renewed during engine-setup when vmconsole-proxy-user cert is expired.
Comment 19 errata-xmlrpc 2022-05-26 16:23:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:4711
Note You need to log in before you can comment on or make changes to this bug.