Bug 2107250 - Upgrade of the host failed as the RHV 4.3 hypervisor is based on RHEL 7 with openssl 1.0.z, but RHV Manager 4.4 uses the openssl 1.1.z syntax
Summary: Upgrade of the host failed as the RHV 4.3 hypervisor is based on RHEL 7 with ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.5.0
Hardware: Unspecified
OS: Linux
high
medium
Target Milestone: ovirt-4.5.2
: ---
Assignee: Dana
QA Contact: Pavol Brilla
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-07-14 15:08 UTC by Divya Shah
Modified: 2022-09-08 11:29 UTC (History)
2 users (show)

Fixed In Version: ovirt-engine-4.5.2.1
Doc Type: Enhancement
Doc Text:
With this release, the process to check certificate validity is now compatible with both RHEL 8 and RHEL 7 based hypervisors.
Clone Of:
Environment:
Last Closed: 2022-09-08 11:28:53 UTC
oVirt Team: Infra
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github oVirt ovirt-engine pull 567 0 None open update variables to make host upgrade work with rhel7 2022-08-02 13:55:43 UTC
Red Hat Issue Tracker RHV-47692 0 None None None 2022-07-15 07:45:19 UTC
Red Hat Knowledge Base (Solution) 6967786 0 None None None 2022-07-14 18:33:31 UTC
Red Hat Product Errata RHSA-2022:6393 0 None None None 2022-09-08 11:29:26 UTC

Description Divya Shah 2022-07-14 15:08:10 UTC 
Description of problem:
Upgrade of the host failed as the RHV 4.3 host uses the openssl syntax from RHV 4.4/4.5 manager.

Version-Release number of selected component (if applicable): 4.5.0.7

How reproducible: 100%

Steps to Reproduce:
1. On RHV 4.5 Manager and a 4.3 host 
2. Upgrading RHV 4.3 host to latest minor version.

Actual results:
Host upgrade failed

Expected results:
Host upgrade must be successful. 

Additional info:

When trying to upgrade the RHV 4.3 host it uses the openssl syntax from RHV 4.4/4.5 manager.

There are differences in the openssl packages between 4.3 and 4.4/4.5 hosts:
in RHV-H 4.3, we use openssl-1.0.2k-21.el7_9.x86_64
in RHV-H  4.4, we use openssl-1.1.1k-5.el8_5.x86_64

~~~
playbook tries to run this:
          "_raw_params" : "openssl x509 -noout -ext subjectAltName -in \"/etc/pki/vdsm/certs/vdsmcert.pem\"",

but it gets:

    "stderr" : "unknown option -ext\nusage: x509 args\n -inform arg    
~~~

Checking in the lab.. on a RHV-H 4.3 host we get the same error:
~~~
[root@rhevh-24 ~]# openssl x509 -noout -ext subjectAltName -in /etc/pki/vdsm/certs/vdsmcert.pem
unknown option -ext
~~~

However on a RHV-H 4.4 host it works:
~~~
[root@amashah-rhvh8-h1 ~]# openssl x509 -noout -ext subjectAltName -in /etc/pki/vdsm/certs/vdsmcert.pem
X509v3 Subject Alternative Name: 
    DNS:amashah-rhvh8-h1.rhev.gsslab.rdu.redhat.com
~~~


We get the below error message:
~~~
2022-07-07 22:02:44 CEST - TASK [Get host certificate info] ***********************************************
2022-07-07 22:02:50 CEST - {
  "uuid" : "70484ef4-fe7f-466d-8155-b0436f0dac95",
  "counter" : 29,
  "stdout" : "fatal: [ip]: FAILED! => {\"changed\": true, \"cmd\": [\"openssl\", \"x509\", \"-noout\", \"-ext\", \"subjectAltName\", \"-in\", \"/etc/pki/vdsm/certs/vdsmcert.pem\"], \"delta\": \"0:00:00.0
40638\", \"end\": \"2022-07-07 22:02:47.266457\", \"msg\": \"non-zero return code\", \"rc\": 1, \"start\": \"2022-07-07 22:02:47.225819\", \"stderr\": \"unknown option -ext\\nusage: x509 args\\n -inform arg     
- input format - default PEM (one of DER, NET or PEM)\\n -outform arg    - output format - default PEM (one of DER, NET or PEM)\\n -keyform arg    - private key format - default PEM\\n -CAform arg     - CA forma
t - default PEM\\n -CAkeyform arg  - CA key format - default PEM\\n -in arg         - input file - default stdin\\n -out arg        - output file - default stdout\\n -passin arg     - private key password source
\\n -serial         - print serial number value\\n -subject_hash   - print subject hash value\\n -subject_hash_old   - print old-style (MD5) subject hash value\\n -issuer_hash    - print issuer hash value\\n -is
suer_hash_old    - print old-style (MD5) issuer hash value\\n -hash           - synonym for -subject_hash\\n -subject        - print subject DN\\n -issuer         - print issuer DN\\n -email          - print ema
il address(es)\\n -startdate      - notBefore field\\n -enddate        - notAfter field\\n -purpose        - print out certificate purposes\\n -dates          - both Before and After dates\\n -modulus        - p
rint the RSA key modulus\\n -pubkey         - output the public key\\n -fingerprint    - print the certificate fingerprint\\n -alias          - output certificate alias\\n -noout          - no certificate output
\\n -ocspid         - print OCSP hash values for the subject name and public key\\n -ocsp_uri       - print OCSP Responder URL(s)\\n -trustout       - output a \\\"trusted\\\" certificate\\n -clrtrust       - cl
ear all trusted purposes\\n -clrreject      - clear all rejected purposes\\n -addtrust arg   - trust certificate for a given purpose\\n -addreject arg  - reject certificate for a given purpose\\n -setalias arg  
 - set certificate alias\\n -days arg       - How long till expiry of a signed certificate - def 30 days\\n -checkend arg   - check whether the cert expires in the next arg seconds\\n                   exit 1 if
 so, 0 if not\\n -signkey arg    - self sign cert with arg\\n -x509toreq      - output a certification request object\\n -req            - input is a certificate request, sign and output.\\n -CA arg         - se
t the CA certificate, must be PEM format.\\n -CAkey arg      - set the CA key, must be PEM format\\n                   missing, it is assumed to be in the CA file.\\n -CAcreateserial - create serial number file 
if it does not exist\\n -CAserial arg   - serial file\\n -set_serial     - serial number to use\\n -text           - print the certificate in text form\\n -C              - print out C code forms\\n -<dgst>     
    - digest to use, see openssl dgst -h output for list\\n -extfile        - configuration file with X509V3 extensions to add\\n -extensions     - section from config file with X509V3 extensions to add\\n -clre
xt         - delete extensions before signing and input certificate\\n -nameopt arg    - various certificate name options\\n -engine e       - use engine e, possibly a hardware device.\\n -certopt arg    - vario
us certificate text options\\n -checkhost host - check certificate matches \\\"host\\\"\\n -checkemail email - check certificate matches \\\"email\\\"\\n -checkip ipaddr - check certificate matches \\\"ipaddr\\\
"\", \"stderr_lines\": [\"unknown option -ext\", \"usage: x509 args\", \" -inform arg     - input format - default PEM (one of DER, NET or PEM)\", \" -outform arg    - output format - default PEM (one of DER, NE
T or PEM)\", \" -keyform arg    - private key format - default PEM\", \" -CAform arg     - CA format - default PEM\", \" -CAkeyform arg  - CA key format - default PEM\", \" -in arg         - input file - default
 stdin\", \" -out arg        - output file - default stdout\", \" -passin arg     - private key password source\", \" -serial         - print serial number value\", \" -subject_hash   - print subject hash value\
", \" -subject_hash_old   - print old-style (MD5) subject hash value\", \" -issuer_hash    - print issuer hash value\", \" -issuer_hash_old    - print old-style (MD5) issuer hash value\", \" -hash           - sy
nonym for -subject_hash\", \" -subject        - print subject DN\", \" -issuer         - print issuer DN\", \" -email          - print email address(es)\", \" -startdate      - notBefore field\", \" -enddate    
    - notAfter field\", \" -purpose        - print out certificate purposes\", \" -dates          - both Before and After dates\", \" -modulus        - print the RSA key modulus\", \" -pubkey         - output th
e public key\", \" -fingerprint    - print the certificate fingerprint\", \" -alias          - output certificate alias\", \" -noout          - no certificate output\", \" -ocspid         - print OCSP hash value
s for the subject name and public key\", \" -ocsp_uri       - print OCSP Responder URL(s)\", \" -trustout       - output a \\\"trusted\\\" certificate\", \" -clrtrust       - clear all trusted purposes\", \" -cl
rreject      - clear all rejected purposes\", \" -addtrust arg   - trust certificate for a given purpose\", \" -addreject arg  - reject certificate for a given purpose\", \" -setalias arg   - set certificate ali
as\", \" -days arg       - How long till expiry of a signed certificate - def 30 days\", \" -checkend arg   - check whether the cert expires in the next arg seconds\", \"                   exit 1 if so, 0 if not
\", \" -signkey arg    - self sign cert with arg\", \" -x509toreq      - output a certification request object\", \" -req            - input is a certificate request, sign and output.\", \" -CA arg         - set
 the CA certificate, must be PEM format.\", \" -CAkey arg      - set the CA key, must be PEM format\", \"                   missing, it is assumed to be in the CA file.\", \" -CAcreateserial - create serial numb
er file if it does not exist\", \" -CAserial arg   - serial file\", \" -set_serial     - serial number to use\", \" -text           - print the certificate in text form\", \" -C              - print out C code f
orms\", \" -<dgst>         - digest to use, see openssl dgst -h output for list\", \" -extfile        - configuration file with X509V3 extensions to add\", \" -extensions     - section from config file with X509
V3 extensions to add\", \" -clrext         - delete extensions before signing and input certificate\", \" -nameopt arg    - various certificate name options\", \" -engine e       - use engine e, possibly a hardw
are device.\", \" -certopt arg    - various certificate text options\", \" -checkhost host - check certificate matches \\\"host\\\"\", \" -checkemail email - check certificate matches \\\"email\\\"\", \" -checki
p ipaddr - check certificate matches \\\"ipaddr\\\"\"], \"stdout\": \"\", \"stdout_lines\": []}",
  "start_line" : 30,
  "end_line" : 31,
  "runner_ident" : "f7f9db05-9a23-4c8b-88f9-d4b503173a50",
  "event" : "runner_on_failed",
~~~

~~~
sosreport-virt-mngr-2022-07-08-bjgpige]$ cat installed-rpms | grep rhv
rhvm-4.5.0.7-0.9.el8ev.noarch                               Mon Jun 13 20:41:57 2022
~~~

~~~
cat os-release 
NAME="Red Hat Enterprise Linux"
VERSION="7.8"
VERSION_ID="7.8"
ID="rhel"
ID_LIKE="fedora"
VARIANT="Red Hat Virtualization Host"
VARIANT_ID="ovirt-node"
PRETTY_NAME="Red Hat Virtualization Host 4.3.9 (el7.8)"
~~~

~~~
 vds_name  | cluster_name | cluster_compatibility_version 
-----------+--------------+-------------------------------
 xyz       | abc          | 4.3
~~~
Comment 4 Pavol Brilla 2022-08-11 11:03:05 UTC 
Old RHEL 7.9 - 4.3 host in 4.5.2 engine - upgrade:

2022-08-11 13:01:35 IDT - TASK [Get host certificate info] ***********************************************
2022-08-11 13:01:35 IDT - { output of command without any FAIL }

Version RHV 4.4 SP1 [ovirt-engine-4.5.2.1-0.1.el8ev]
Comment 8 errata-xmlrpc 2022-09-08 11:28:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: RHV Manager (ovirt-engine) [ovirt-4.5.2] bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:6393
Note You need to log in before you can comment on or make changes to this bug.