dalo
Hot Shot
Hot Shot

certificate issue while upgrade to 2.0.1

Jump to solution

In our VIO environment I had to change the VC certificate a while ago. To make the VIO work again, I added the new certificate to /etc/ssl/certs/ca-certificates.crt on the controller* and compute* nodes. This works as expected.

Now I would upgrade to 2.0.1 and it seems that through this process the install routine replaces the /etc/ssl/certs/ca-certificates.crt files, so it stops with an error. I could workaround this with adding the VC certificate at the right moment to /etc/ssl/certs/ca-certificates.crt (after it gets replaced).

It seems that a "viocli deployment configure" does the same replacement.

So my question is: Where on the management server are the certificates that the configure process pushes to the other nodes? I would fix this at the root level, not that I run in this problem again.

Thanks

Daniel

0 Kudos
1 Solution

Accepted Solutions
dalo
Hot Shot
Hot Shot

Hi Jun,

Thanks for pointing me in the right direction. I could now implement the new certificate in the custom.yml:

- convert the VC certificate: cat vc-cert.crt | base64 -w 0

- add this string to the /opt/vmware/vio/custom/custom.yml file: vcenter_certificate: ... (see VMware Integrated OpenStack 2.0.1 Release Notes)

- run "viocli deployment -v configure"

Regards,

Dan

View solution in original post

0 Kudos
6 Replies
ericwbrown
VMware Employee
VMware Employee

Hi Daniel,

Some questions:

1) Was this an upgrade from 2.0.0 to 2.0.1?  Or 1.0 to 2.0.1?

2) How was /etc/ssl/certs/ca-certificates.crt updated?  Directly?

VIO does not actually touch /etc/ssl/certs/ca-certificates.crt.  However, it will run the update-ca-certificates command which can overwrite additions to ca-certificates.crt if changes were made directly in that file.

- Eric

0 Kudos
dalo
Hot Shot
Hot Shot

Hi Eric,

Thank you for your reply.

1) this was only an upgrade from 2.0.0 to 2.0.1. But after I made the install of 2.0.0 a few month ago, I changed the VC certificate and then I aded the new certificate to  /etc/ssl/certs/ca-certificates.crt because the VIO components reported a certficate issue on startup

2) The  /etc/ssl/certs/ca-certificates.crt was not updated in the update process from 2.0.0 to 2.0.1 I added the certificate again manually

So the question is, where and when get the update/install process the certificate from the VC and can I re-run this step manually?

Daniel

0 Kudos
dalo
Hot Shot
Hot Shot

It seems that this was a problem on the VC side. The cert downloaded on "https://[VC]/certs/download" doesn't match the cert displayed in the browser.

So I regenerated all the VC certificates and start the VIO new:

- shutdown VIO

- shutdown management app

- regenerate all VC certificates on "https://[VC]/psc"

- start the management server new

- start VIO

0 Kudos
dalo
Hot Shot
Hot Shot


Unfortunately regenerate the certificates on the VC doesn't solves the VIO certificate issue.

If I do a "viocli deployment -v configure" the old VC certificates where used. And some services failed to start.

On the management VM i found the following command in /var/lib/vio/ansible/roles/config-controller/tasks/common.yml: "template: src=etc/ssl/certs/vcenter.crt dest=/usr/local/share/ca-certificates/vcenter.crt"

I checked the /usr/local/share/ca-certificates/vcenter.crt on the controller and this is the old, wrong certificate. But I could not found the source "/usr/local/share/ca-certificates/vcenter.crt"

Could someone explain me where this old, wrong certificate come from? I would replace this with the actual one and hope to clean this up.


Thanks Daniel

0 Kudos
JunW
Enthusiast
Enthusiast

Hi Dan,

You can find them from management server at /var/lib/vio/jarvis/xxxxx-xxxxx-xxxx-xxxx/site-req-xxxxxxx-hosts.ini related to vcenter_cert and nsxv_certificate. But some operations from UI can still change the settings in hosts.ini. If you want to keep the settings from change by UI, you may need to use customizability feature. Please let us know if you want to do customization for these certs, so some persons may help you about the procedure.

Regards,

Jun

dalo
Hot Shot
Hot Shot

Hi Jun,

Thanks for pointing me in the right direction. I could now implement the new certificate in the custom.yml:

- convert the VC certificate: cat vc-cert.crt | base64 -w 0

- add this string to the /opt/vmware/vio/custom/custom.yml file: vcenter_certificate: ... (see VMware Integrated OpenStack 2.0.1 Release Notes)

- run "viocli deployment -v configure"

Regards,

Dan

0 Kudos