vmconsole-proxy-user certificate expired - cannot serial console

Solution Verified - Updated 13 Jun 2024

Environment

Red Hat Virtualization (RHV) 4.4

Issue

Unable to connect to VM serial console via ssh
vmconsole certificate are expired and not renewed automatically
engine-setup does not renew the following certificates:
- vmconsole-proxy-user
- vmconsole-proxy-host
- vmconsole-proxy-helper

Resolution

The issue has been solved via RHSA-2022:4711 in Red Hat Virtualization 4.4 SP1. Please ensure to update the RHV platform in order to benefit from this and other bug fixes.

The following steps can be used as a workaround in order to renew certificates:

On the RHV Manager, run the following command to renew vmconsole-proxy-helper certificate [enable global maintenance mode if it is a HostedEngine setup # hosted-engine --set-maintenance --mode=global]:
```
 # cd /etc/pki/ovirt-engine
 # rm ./keys/vmconsole-proxy-helper.p12 ./keys/vmconsole-proxy-helper.key.nopass ./certs/vmconsole-proxy-helper.cer
 # engine-setup --offline 
```
On the RHV Manager, run the following command to renew vmconsole-proxy-user and vmconsole-proxy-host certificate:
```
 # cd /etc/pki/
 # mv ovirt-vmconsole ovirt-vmconsole_bkp
 # engine-setup --offline
```

Root Cause

vmconsole-proxy-helper certificate was not renewed because of This content is not included.Bug 1988496.
vmconsole-proxy-user and vmconsole-proxy-host certificate renewal issue is currently being investigated with This content is not included.Bug 2066084.

Diagnostic Steps

Please run following command on RHV Manager machine to check certificate validity.

# ssh-keygen -L -f /etc/pki/ovirt-vmconsole/proxy-ssh_user_rsa-cert.pub 

/etc/pki/ovirt-vmconsole/proxy-ssh_user_rsa-cert.pub:
        Type: ssh-rsa-cert-v01@openssh.com user certificate
        Public key: RSA-CERT SHA256:/VmpzY7UYdcoJOesJ87FBEbqerFJjX7WBJOjiN5bXts
        Signing CA: RSA SHA256:RYFSBS9Rd0xo2zIk46ZpSXmaFqYnbj/6i+qQvCPElJ0
        Key ID: "vmconsole-proxy-user"
        Serial: 0
        Valid: from 2020-12-15T12:27:35 to 2022-01-17T13:27:35 
        Principals: 
                ovirt-vmconsole-proxy
        Critical Options: (none)
        Extensions: 
                permit-pty

# ssh-keygen -L -f /etc/pki/ovirt-vmconsole/proxy-ssh_host_rsa-cert.pub 

/etc/pki/ovirt-vmconsole/proxy-ssh_host_rsa-cert.pub:
        Type: ssh-rsa-cert-v01@openssh.com host certificate
        Public key: RSA-CERT SHA256:19Cmrm72XoHlRX+ObzBCfZ/xzvr9Vcymkvn6q94hRKo
        Signing CA: RSA SHA256:RYFSBS9Rd0xo2zIk46ZpSXmaFqYnbj/6i+qQvCPElJ0
        Key ID: "vmconsole-proxy-host"
        Serial: 0
        Valid: from 2020-12-15T12:27:35 to 2022-01-17T13:27:35 
        Principals: 
                manager.rhv.levart.com.au
        Critical Options: (none)
        Extensions: (none)

SBR

Virtualization

Product(s)

Red Hat Virtualization

Components

certificates

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.