search

apache / cloudstack

Apache CloudStack is an opensource Infrastructure as a Service (IaaS) cloud computing platform
https://cloudstack.apache.org/
Apache License 2.0
2.05k stars 1.1k forks source link

When starting the `libvirtd` service, I encountered the error: "The server certificate /etc/pki/libvirt/servercert.pem has expired." #9562

Closed LiuYanHao789 closed 1 month ago

LiuYanHao789 commented 1 month ago
ISSUE TYPE
COMPONENT NAME
Cert
CLOUDSTACK VERSION
cloudstack 4.18.1.0
CONFIGURATION
OS / ENVIRONMENT

Centos 7.9

SUMMARY

When starting the libvirtd service, I encountered the error: "The server certificate /etc/pki/libvirt/servercert.pem has expired." The certificate in question originates from /etc/cloudstack/agent/cloud.crt, which is valid for one year. What should I do when the certificate expires? Should I create a self-signed certificate to replace it? If I do, will there be any impact due to context or dependencies? Or is there another solution?

STEPS TO REPRODUCE
# systemctl restart libvirtd 
error: "The server certificate /etc/pki/libvirt/servercert.pem has expired"
# ll /etc/pki/libvirt/servercert.pem
/etc/pki/libvirt/servercert.pem -> /etc/cloudstack/agent/cloud.crt

I can see that it's a symbolic link, with the source path being /etc/cloudstack/agent/cloud.crt. I checked the certificate's validity period using the command:

# openssl x509 -in /etc/cloudstack/agent/cloud.crt -noout -dates
notBefore=Jul 12 19:44:27 2023 GMT
notAfter=Jul 12 07:44:27 2024 GMT
EXPECTED RESULTS

I can see that it's a symbolic link, with the source path being /etc/cloudstack/agent/cloud.crt. I checked the certificate's validity period using the command:

# openssl x509 -in /etc/cloudstack/agent/cloud.crt -noout -dates
notBefore=Jul 12 19:44:27 2023 GMT
notAfter=Jul 12 07:44:27 2024 GMT

It turns out the certificate has expired, which caused the error when I tried to restart the libvirtd service today. Should I create a self-signed certificate to replace it? If I do, will there be any impact due to context or dependencies? Or is there another solution?

ACTUAL RESULTS
boring-cyborg[bot] commented 1 month ago

Thanks for opening your first issue here! Be sure to follow the issue template!

weizhouapache commented 1 month ago

You can try the following steps

  1. backup and then delete the cloud.* files from /etc/cloudstack/agent/ directory
  2. change auth strictness global setting to false (ca.plugin.root.auth.strictness) in cloudstack temporarily
  3. set listen_tcp=1/listen_tls=0/vnc_tls=0 in libvirtd.conf, and restart libvirtd
  4. restart cloudstack agent on the KVM host, and once it's connected, in CloudStack go to the UI-> infra ->host -> select the specific host -> click button to re-provision certficates (this will resetup the cloud.jks and certificates on the kvm host)
  5. finally, reset the ca.plugin.root.auth.strictness back to true
LiuYanHao789 commented 1 month ago

感谢大佬!!!国人牛逼,但是我的这个ca.plugin.root.auth.strictness,我发现默认就是false关闭的,没有打开。这个东西在生产环境会有啥影响吗?

rohityadavcloud commented 1 month ago

@LiuYanHao789 I don't understand your last comment. By re-provisioning certificate on all hosts and turning auth strictness to true is enough to secure your production env. See if you can upgrade to the most recent 4.18 release and have ca.framework.cert.automatic.renewal set to true, or increase ca.framework.cert.validity.period to a high value.