Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1034634

Summary: missing certificates generation cause virsh and spice connection to fail
Product: Red Hat Enterprise Virtualization Manager Reporter: Sandro Bonazzola <sbonazzo>
Component: ovirt-hosted-engine-setupAssignee: Yedidyah Bar David <didi>
Status: CLOSED ERRATA QA Contact: movciari
Severity: high Docs Contact:
Priority: high    
Version: 3.3.0CC: adingman, dfediuck, didi, dkline, iheim, jbelka, josh, michele, mkalinin, oschreib, pablo.iranzo, pstehlik, rhodain, sbonazzo, scohen, thunt, tpoitras, vfarias
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: 3.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: integration
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, certificate authority certificates were not generated for libvirt. This resulted in a failure to connect to the engine virtual machine using virsh or SPICE during the hosted-engine deployment. Now, the necessary certificates are generated before libvirt is configured for VDSM and users can connect to the engine virtual machine using virsh or SPICE.
Story Points: ---
Clone Of:
: 1073446 (view as bug list) Environment:
Last Closed: 2014-06-09 14:47:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 1063576, 1073446, 1078909, 1142926    

Description Sandro Bonazzola 2013-11-26 09:06:57 UTC
On a clean system install, trying to use virsh connection for accessing the shell for installing the OS inside the Self Hosted Engine VM leads to 
 # virsh -c qemu+tls:///Test/system console HostedEngine
 error: Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such file or  directory
 error: failed to connect to the hypervisor

the '/etc/pki/CA/cacert.pem' is created later when the host is added to the manager by ovirt-host-deploy.

We need to provide /etc/pki/CA/cacert.pem before OS installation for allowing virsh to connect to the hypervisor.

Comment 1 Sandro Bonazzola 2013-11-26 09:13:38 UTC
Workaround: http://libvirt.org/remote.html#Remote_TLS_CA

Comment 3 Sandro Bonazzola 2013-12-09 16:19:58 UTC
*** Bug 1034679 has been marked as a duplicate of this bug. ***

Comment 4 Sandro Bonazzola 2013-12-09 16:21:26 UTC
also server and client certificates are missing, causing libvirt not listening on qemu+tls port.

Comment 5 Sandro Bonazzola 2013-12-10 14:12:39 UTC
*** Bug 1035395 has been marked as a duplicate of this bug. ***

Comment 6 Sandro Bonazzola 2013-12-10 14:14:16 UTC
Also  /etc/pki/libvirt-spice cretificates are generated by ovirt-host-deploy at later stage, so when creating cacert.pem hosted-engine --deploy need to take care of these too.

Comment 10 Sandro Bonazzola 2014-01-27 10:05:28 UTC
*** Bug 1056649 has been marked as a duplicate of this bug. ***

Comment 11 Sandro Bonazzola 2014-01-31 13:08:59 UTC
As workaround, perform an all-in-one setup, then execute cleanup and deploy hosted-engine or use VNC connection.

Comment 12 Sandro Bonazzola 2014-01-31 13:09:39 UTC
*** Bug 1058936 has been marked as a duplicate of this bug. ***

Comment 13 Sandro Bonazzola 2014-02-11 08:58:03 UTC
*** Bug 1063576 has been marked as a duplicate of this bug. ***

Comment 15 Yedidyah Bar David 2014-03-10 06:34:06 UTC
*** Bug 1067683 has been marked as a duplicate of this bug. ***

Comment 17 Yedidyah Bar David 2014-03-12 14:47:40 UTC
Moving back to assigned as /etc/pki/libvirt might not exist.

Comment 19 errata-xmlrpc 2014-06-09 14:47:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0505.html