Bug 809094 - [vdsm][bootstrap] CA for vdsmcert.pem isn't downloaded from rhevm, symlink to vdsmcert.pem is used instead
[vdsm][bootstrap] CA for vdsmcert.pem isn't downloaded from rhevm, symlink to...
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: vdsm (Show other bugs)
x86_64 Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Federico Simoncelli
Jakub Libosvar
: Regression
Depends On:
  Show dependency treegraph
Reported: 2012-04-02 09:19 EDT by Jakub Libosvar
Modified: 2012-04-03 06:50 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-04-03 06:50:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Bootstrap log (26.41 KB, text/x-log)
2012-04-02 09:19 EDT, Jakub Libosvar
no flags Details

  None (edit)
Description Jakub Libosvar 2012-04-02 09:19:26 EDT
Created attachment 574503 [details]
Bootstrap log

Description of problem:
After host is added to rhevm setup and ssl is used, there is no CA for vdsmcert on host:
[root@srh-03 certs]# ll /etc/pki/vdsm/certs/
total 4
lrwxrwxrwx. 1 root root   32 Apr  2 14:48 cacert.pem -> /etc/pki/vdsm/certs/vdsmcert.pem
-r--r--r--. 1 vdsm kvm  3581 Apr  2 14:49 vdsmcert.pem

As a consequence libvirt cannot create socket with TLS. I think cacert.pem is supposed to be a CA for vdsmcert.pem cause when ca.crt is downloaded from rhevm and cacert is replaced with that, libvirt starts. This is reproducible only on RHEL 6.3, on 6.2 cacert.pem is correct.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Have rhel6.3 host
2. Add host to rhevm setup
Actual results:
Libvirt cannot create socket due to missing CA

Expected results:
CA is correctly downloaded from rhevm and libvirt starts

Additional info:
I don't know where the symlink comes from - I tried to catch links created by _linkOrPersist method but no symlink cacert.pem -> vdsmcert.pem was created there. Attaching bootstrap log.
Comment 3 Federico Simoncelli 2012-04-03 06:17:58 EDT
For some time vdsm was creating a symlink (in vdsm-gencerts.sh) cacert.pem -> vdsmcert.pem. Since bc93adf (Use certtool to generate the certificates) it's not doing it anymore. Could you remove the link and try again with a newer vdsm version? Thanks.
Comment 4 Jakub Libosvar 2012-04-03 06:50:38 EDT
vdsm-bootstrap-4.9.6-4.5.noarch fixes the issue. Closing.

Note You need to log in before you can comment on or make changes to this bug.