The hosted-engine deploy (restore-from-file) fails with error "Cannot authenticate user 'None@N/A': No valid profile found in credentials"

Solution Verified - Updated 14 Jun 2024

Environment

Red Hat Virtualization 4.2
Red Hat Virtualization 4.3
Red Hat Virtualization 4.4

Issue

The hosted-engine deploy (restore-from-file) fails with below error.

ERROR ] AuthError: Error during SSO authentication access_denied : Cannot authenticate user 'None@N/A': No valid profile found in credentials..
[ ERROR ] fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error during SSO authentication access_denied : Cannot authenticate user 'None@N/A': No valid profile found in credentials.."}

Resolution

Use the below hook as a workaround which should update the host-wide trust store after engine-setup.
The hook path:
- For 4.2 /usr/share/ovirt-hosted-engine-setup/ansible/hooks/enginevm_after_engine_setup/
- For 4.3 /usr/share/ansible/roles/ovirt.hosted_engine_setup/hooks/enginevm_after_engine_setup/
- For 4.4 /usr/share/ansible/collections/ansible_collections/redhat/rhv/roles/hosted_engine_setup/hooks/enginevm_after_engine_setup.
Create the file fix_certificate.yml under the hook directory as below.

- name: copy the certificate
  copy:
    remote_src: True
    src: /etc/pki/ovirt-engine/apache-ca.pem
    dest: /etc/pki/ca-trust/source/anchors/apache-ca.pem

- name: update the trust store
  command: update-ca-trust

- name: restart the engine servive
  service:
    name: ovirt-engine
    state: restarted

To fix this in future backups, follow the steps 15 and 16 in the procedure for replacing the Apache CA certificate. Create the file /etc/ovirt-engine-backup/engine-backup-config.d/update-system-wide-pki.sh with the following content:

BACKUP_PATHS="${BACKUP_PATHS}
/etc/ovirt-engine-backup"
cp -f /etc/pki/ovirt-engine/apache-ca.pem /etc/pki/ca-trust/source/anchors/3rd-party-ca-cert.pem
update-ca-trust

Root Cause

This content is not included.BUG 1715767.
The old environment was having a custom certificate. However, engine-backup is not updating the host-wide trust store with the new CA which is a required step for the environment having a custom Apache certificate.

SBR

Virtualization

Product(s)

Red Hat Virtualization

Components

rhev-hypervisor

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.