Red Hat Bugzilla – Bug 809094
[vdsm][bootstrap] CA for vdsmcert.pem isn't downloaded from rhevm, symlink to vdsmcert.pem is used instead
Last modified: 2012-04-03 06:50:38 EDT
Created attachment 574503 [details] Bootstrap log Description of problem: After host is added to rhevm setup and ssl is used, there is no CA for vdsmcert on host: [root@srh-03 certs]# ll /etc/pki/vdsm/certs/ total 4 lrwxrwxrwx. 1 root root 32 Apr 2 14:48 cacert.pem -> /etc/pki/vdsm/certs/vdsmcert.pem -r--r--r--. 1 vdsm kvm 3581 Apr 2 14:49 vdsmcert.pem As a consequence libvirt cannot create socket with TLS. I think cacert.pem is supposed to be a CA for vdsmcert.pem cause when ca.crt is downloaded from rhevm and cacert is replaced with that, libvirt starts. This is reproducible only on RHEL 6.3, on 6.2 cacert.pem is correct. Version-Release number of selected component (if applicable): ovirt-engine-3.1.0_0001-3.el6.x86_64 vdsm-4.9.6-4.5.x86_64 How reproducible: Always Steps to Reproduce: 1. Have rhel6.3 host 2. Add host to rhevm setup Actual results: Libvirt cannot create socket due to missing CA Expected results: CA is correctly downloaded from rhevm and libvirt starts Additional info: I don't know where the symlink comes from - I tried to catch links created by _linkOrPersist method but no symlink cacert.pem -> vdsmcert.pem was created there. Attaching bootstrap log.
For some time vdsm was creating a symlink (in vdsm-gencerts.sh) cacert.pem -> vdsmcert.pem. Since bc93adf (Use certtool to generate the certificates) it's not doing it anymore. Could you remove the link and try again with a newer vdsm version? Thanks.
vdsm-bootstrap-4.9.6-4.5.noarch fixes the issue. Closing.