RHV 4.2 - Failed to import provider certificate into the external provider keystore

Solution Verified - Updated

Environment

  • RHV 4.2
  • RHV 4.1

Issue

When running engine-setup after upgrading a RHV 4.1 installation to RHV 4.2, there is a keystore certificate error:

[ ERROR ] Failed to import provider certificate into the external provider keystore

...

          The following commands failed to execute.
          Please execute them manually as root:
             . /usr/share/ovirt-engine/bin/engine-prolog.sh
              export pass="${ENGINE_EXTERNAL_PROVIDERS_TRUST_STORE_PASSWORD}"
              keytool -import -alias ovirt-provider-ovn -keystore /var/lib/ovirt-engine/external_truststore -file /etc/pki/ovirt-engine/ca.pem -noprompt -storepass:env pass

Although the setup completes, the above commands need to be run manually to ensure the ovirt-provider-ovn certificate is imported into the keystore.

When running the above commands, an error may be seen:

# . /usr/share/ovirt-engine/bin/engine-prolog.sh
# export pass="${ENGINE_EXTERNAL_PROVIDERS_TRUST_STORE_PASSWORD}"
# keytool -import -alias ovirt-provider-ovn -keystore /var/lib/ovirt-engine/external_truststore -file /etc/pki/ovirt-engine/ca.pem -noprompt -storepass:env pass
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

This means that the trust store password is not correctly identified in the environment.

Resolution

The default trust keystore password is changeit - if you have modified this in any way, the configuration needs to be updated to reflect the correct password. If you are unsure what the password is, you can try mypass which a lot of our documentation uses.

Edit the file:

# vi /etc/ovirt-engine/engine.conf.d/10-setup-pki.conf

Add this line (if using a custom password, change mypass to your password):

ENGINE_EXTERNAL_PROVIDERS_TRUST_STORE_PASSWORD="mypass"

Then try to run the manual instructions again, to confirm that the import is working properly:

# . /usr/share/ovirt-engine/bin/engine-prolog.sh 
# export pass="${ENGINE_EXTERNAL_PROVIDERS_TRUST_STORE_PASSWORD}"
# keytool -import -alias ovirt-provider-ovn -keystore /var/lib/ovirt-engine/external_truststore -file /etc/pki/ovirt-engine/ca.pem -noprompt -storepass:env pass

If successful, you should see:

Certificate was added to keystore

Root Cause

The trust keystore password differs from the default changeit and the configuration needs to be updated to reflect the correct password.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.