Red Hat Bugzilla – Bug 809094
[vdsm][bootstrap] CA for vdsmcert.pem isn't downloaded from rhevm, symlink to vdsmcert.pem is used instead
Last modified: 2012-04-03 06:50:38 EDT
Created attachment 574503 [details]
Description of problem:
After host is added to rhevm setup and ssl is used, there is no CA for vdsmcert on host:
[root@srh-03 certs]# ll /etc/pki/vdsm/certs/
lrwxrwxrwx. 1 root root 32 Apr 2 14:48 cacert.pem -> /etc/pki/vdsm/certs/vdsmcert.pem
-r--r--r--. 1 vdsm kvm 3581 Apr 2 14:49 vdsmcert.pem
As a consequence libvirt cannot create socket with TLS. I think cacert.pem is supposed to be a CA for vdsmcert.pem cause when ca.crt is downloaded from rhevm and cacert is replaced with that, libvirt starts. This is reproducible only on RHEL 6.3, on 6.2 cacert.pem is correct.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Have rhel6.3 host
2. Add host to rhevm setup
Libvirt cannot create socket due to missing CA
CA is correctly downloaded from rhevm and libvirt starts
I don't know where the symlink comes from - I tried to catch links created by _linkOrPersist method but no symlink cacert.pem -> vdsmcert.pem was created there. Attaching bootstrap log.
For some time vdsm was creating a symlink (in vdsm-gencerts.sh) cacert.pem -> vdsmcert.pem. Since bc93adf (Use certtool to generate the certificates) it's not doing it anymore. Could you remove the link and try again with a newer vdsm version? Thanks.
vdsm-bootstrap-4.9.6-4.5.noarch fixes the issue. Closing.