RHEV-M upgrade asks to renew certificate. What does it mean?

Environment

Red Hat Enterprise Virtualization (RHEV) 3.5.4 and later

Issue

When engine-setup is started, it asks to renew the certificate authority (CA). What does it mean and what are the consequences?

• RHEV-M 3.5.4 - 4.1.3

    One or more of the certificates should be renewed, because they expire soon or include an invalid expiry date, which is rejected by recent browsers. 
  

• RHEV-M 4.1.4 and later

    One or more of the certificates should be renewed, because they expire soon, or include an invalid expiry date, or do not include the subjectAltName extension, which can cause them to be rejected by recent browsers.
  

Resolution

RHV Manager side certificates:

Engine-setup now checks if relevant engine certs (including internal ca cert and those signed by it) are soon to be expired (or already are). If so, it prompts the user asking whether to renew. If the reply is 'yes', they are renewed. Otherwise nothing is changed, and another invocation of engine-setup will ask again.

The renew process require a short downtime for webadmin portal, user portal and reports as these services will be stopped during the process. Also client browsers may require removal of the old CA certificate and acceptance of the new CA certificate. Please keep in mind that CA certificate has to be removed from the browser first as some browsers will silently reject the new certificate if the old one is still in the browser.

• How do I add the RHEV-M CA to Firefox so that I can use https to access the WebAdmin Portal or the UserPortal?
• How do I add the RHEV-M CA to Internet Explorer to access the Admin Portal or the UserPortal via https?

The new CA certificate which is located at /etc/pki/ovirt-engine/ca.pem should be distributed to all remote components that require PKI trust.

Host side certificate:

PKI renewal on the engine should not affect the communication with the hosts, unless one specific scenario described here:
Skip the PKI renewal process during engine-setup makes RHV host non-responsive
In this case, the affected hosts would need to be re-registered* to renew their certificates for communication with the manager.

* Re-registering the hosts mean: remove the host from the manager and add them again. No need to reinstall the host. When the host is being added, aka registered to the manager, it exchanges the certificates with the manager and by that, updates the existing certs.

Root Cause

Due to certificate incompatibility issue with rfc2459 This content is not included.Bug 1210486 and potential of certificate expiration This content is not included.Bug 1214860 since first release, the CA, Engine, Apache and Websocket proxy certificates may be renewed during upgrade. This message is also displayed because of missing subjectAltName within the certificates This content is not included.Bug 1450293 since RHV-M 4.1.4.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.