之前使用Kolla ansible安装的OpenStack环境发现nova_compute、nova_libvirt服务异常,查看日志发现是libvirt证书过期导致的,错误信息如下:
Connection event '0' reason 'Failed to connect to libvirt: The client certificate /etc/pki/libvirt/clientcert.pem has expired'
然后就尝试更新libvirt证书,更新时nova_novnc的证书也需要一并更新。
找一个装了certtool的机器来做证书,我这里是管理端(node-100-111)。
mkdir /home/cert
cd /home/cert
一、创建中央证书颁发机构证书,用于签署为每个计算节点创建的证书
[root@node-100-111 cert]# cat certificate_authority_template.info
cn = abc.com.cn
ca
cert_signing_key
expiration_days = 7000
[root@node-100-111 cert]# umask 277 && certtool --generate-privkey > certificate_authority_key.pem
Generating a 2048 bit RSA private key...
[root@node-100-111 cert]# certtool --generate-self-signed --template certificate_authority_template.info \
--load-privkey certificate_authority_key.pem \
--outfile certificate_authority_certificate.pem
二、为每个计算节点生成服务端证书
[root@node-100-111 cert]# mkdir {111,112,113,114}
[root@node-100-111 cert]# cat 111/server.info
country = CN
state = Beijing
locality = Beijing
organization = abc.com.cn
cn = node-100-111
tls_www_client
encryption_key
signing_key
expiration_days = 7000
[root@node-100-111 cert]# cat 112/server.info
country = CN
state = Beijing
locality = Be