I have a pool with 2 xcp-ng 8.2 hosts and on the same management network I have a debian 10 based VM within which I have built xo from sources using https://github.com/ronivay/XenOrchestraInstallerUpdater.
I had previously followed the guide TLS Certificate on XCP-NG as well as the guide for additional configuration to specify on XenOrchestra side, but I was getting Xapi#getResource /rrd_updates
tasks lingering if I connected to my host when Unauthorized Certificates
was disabled but not when connecting with that enabled.
Please correct me if I'm wrong, but I suspect the lingering task is caused by xo making an HTTPS request to the pool master for rrd updates but the request fails due to a cert error and the task isn't being cancelled and instead timing out after 24 hours as Olivier has noted in past threads.
To try to resolve this, today I created a snapshot at 1:11pm PDT and booted up a fast-clone of that snapshot so I am not left without a paddle if I were to break my xo during the update. I then used the build tool's update feature to pull from master and rebuild to see if it would make a difference.
Now, when I try to connect my xo to my pool master with Unauthorized Certificates
disabled, I get this error: self signed certificate in certificate chain
and xo is not able to connect to the pool. If I connect with Unauthorized Certificates
enabled, I am able to get stats without the lingering rrd updates tasks, but I still want to be able to connet with Unauthorized Certificates
disabled.
I reviewed the xo logs and saw Hostname/IP does not match certificate's altnames: IP: 10.0.60.12 is not in the cert's list:
. My master's management IP is 10.0.10.12 and the 10.0.60.12 is the address on my storage network where my storage server is located. Full disclosure, I originally mis-read the IP address as the management address, so I decided to create a new certificate following the official 8.2 instructions from Citrix with 4096 bit key, sha256 signature algorithm, 398 day lifetime, and I was sure to add both fqdns and both IP addresses as Subject Alternate Names to be sure I covered all bases.
In retrospect, the first instance of that Hostname/IP...
error was over an hour before I performed the update today, so it's not new after the update. I have the original certificate which I can restore if requested.
Did I miss a step when configuring xcp-ng hosts and my xo to use the certs from my internal, self-signed CA? I have used update-ca-certificates
on my xo vm to add my root ca certificate (actually, this was done and tested on the vm from which my xo vm was fast-cloned), but do I also need add my root ca certificate to each xcp-ng host as well or is that not required since the full cert chain is included in /etc/xensource/xapi-ssl.pem
?
Thank you in advance for the assistance for any guidance/assistance.