Expired Cert
10 views
Skip to first unread message
HJ
Jan 28, 2026, 12:56:42 AM (5 days ago) Jan 28
to ganeti
Hi,
Version: gnt-instance (ganeti 3.0.2-1ubuntu1) 3.0.2
We have a Ganeti cluster that was built more than five years ago, and it’s now reporting “Timeout while talking to the master daemon” when running gnt-cluster renew-crypto --new-cluster-certificate --new-node-certificates (or any gnt-cluster command).
The /var/log/ganeti logs show:
CurlLayerError "code: CurlSSLCACert, explanation: SSL certificate problem: certificate has expired".
I’m new to Ganeti. I found a solution in this group, but it dates back to 2008. Could anyone suggest current best practices for renewing the certificates?
Sascha Lucas
Jan 28, 2026, 1:34:48 AM (5 days ago) Jan 28
to 'HJ' via ganeti
Hi,
On Tue, 27 Jan 2026, 'HJ' via ganeti wrote:
> Version: gnt-instance (ganeti 3.0.2-1ubuntu1) 3.0.2
>
> We have a Ganeti cluster that was built more than five years ago, and it’s
> now reporting *“Timeout while talking to the master daemon”* when running
SSH to create new noded certificates. The only exception is, that at
beginning it talks to the masters node luxid/wconfd.
Therefore I force them to start at the master node by setting in
/etc/default/ganeti:
WCONFD_ARGS="--no-voting --yes-do-it"
LUXID_ARGS="--no-voting --yes-do-it"
After this, restart ganeti service on master only:
systemctl restart ganeti.service
Now run gnt-cluster renew-crypto --new-cluster-certificate
--new-node-certificates. If successful remove the config "--no-voting
--yes-do-it" and restart again on master.
At least this works for me.
HTH, Sascha.
On Tue, 27 Jan 2026, 'HJ' via ganeti wrote:
> Version: gnt-instance (ganeti 3.0.2-1ubuntu1) 3.0.2
>
> We have a Ganeti cluster that was built more than five years ago, and it’s
> gnt-cluster renew-crypto --new-cluster-certificate --new-node-certificates
> (or any gnt-cluster command).
My solution is the following: gnt-cluster renew-crypto almost only uses
> (or any gnt-cluster command).
SSH to create new noded certificates. The only exception is, that at
beginning it talks to the masters node luxid/wconfd.
Therefore I force them to start at the master node by setting in
/etc/default/ganeti:
WCONFD_ARGS="--no-voting --yes-do-it"
LUXID_ARGS="--no-voting --yes-do-it"
After this, restart ganeti service on master only:
systemctl restart ganeti.service
Now run gnt-cluster renew-crypto --new-cluster-certificate
--new-node-certificates. If successful remove the config "--no-voting
--yes-do-it" and restart again on master.
At least this works for me.
HTH, Sascha.
HJ
Jan 28, 2026, 11:51:16 AM (5 days ago) Jan 28
to ganeti
Hi Sascha,
I was able to renew the cluster and node certificates (server.pem and client.pem) by following the steps you provided, and I can now run gnt-cluster verify. However, it looks like some certificates still haven’t been renewed:
• ERROR: cluster: While verifying /var/lib/ganeti/spice.pem: Certificate is expired (valid from 2020-12-28 12:59:55 to 2025-12-27 12:59:55)
• ERROR: cluster: While verifying /var/lib/ganeti/spice-ca.pem: Certificate is expired (valid from 2020-12-28 12:59:55 to 2025-12-27 12:59:55)
• ERROR: cluster: While verifying /var/lib/ganeti/rapi.pem: Certificate is expired (valid from 2020-12-28 12:59:55 to 2025-12-27 12:59:55)
Could you guide me on how to renew these certificates? I couldn’t find relevant information in the Ganeti documentation.
https://docs.ganeti.org/docs/ganeti/3.0/html/cluster-keys-replacement.html
Thank you.
I was able to renew the cluster and node certificates (server.pem and client.pem) by following the steps you provided, and I can now run gnt-cluster verify. However, it looks like some certificates still haven’t been renewed:
• ERROR: cluster: While verifying /var/lib/ganeti/spice.pem: Certificate is expired (valid from 2020-12-28 12:59:55 to 2025-12-27 12:59:55)
• ERROR: cluster: While verifying /var/lib/ganeti/spice-ca.pem: Certificate is expired (valid from 2020-12-28 12:59:55 to 2025-12-27 12:59:55)
• ERROR: cluster: While verifying /var/lib/ganeti/rapi.pem: Certificate is expired (valid from 2020-12-28 12:59:55 to 2025-12-27 12:59:55)
Could you guide me on how to renew these certificates? I couldn’t find relevant information in the Ganeti documentation.
https://docs.ganeti.org/docs/ganeti/3.0/html/cluster-keys-replacement.html
Thank you.
HJ
Jan 28, 2026, 1:03:57 PM (5 days ago) Jan 28
to ganeti
gnt-cluster renew-crypto --new-rapi-certificate --new-spice-certificate did the trick.
Thanks!
Ronny Adsetts
Jan 28, 2026, 1:05:15 PM (5 days ago) Jan 28
to gan...@googlegroups.com
'HJ' via ganeti wrote on 28/01/2026 16:51:
>
> I was able to renew the cluster and node certificates (server.pem and
> client.pem) by following the steps you provided, and I can now run
> gnt-cluster verify. However, it looks like some certificates still
> haven’t been renewed:
>
> •ERROR: cluster: While verifying /var/lib/ganeti/spice.pem:
> Certificate is expired (valid from 2020-12-28 12:59:55 to 2025-12-27
> 12:59:55) •ERROR: cluster: While verifying
> /var/lib/ganeti/spice-ca.pem: Certificate is expired (valid from
> 2020-12-28 12:59:55 to 2025-12-27 12:59:55)
> •ERROR: cluster: While verifying /var/lib/ganeti/rapi.pem:
> Certificate is expired (valid from 2020-12-28 12:59:55 to 2025-12-27
> 12:59:55)
>
> Could you guide me on how to renew these certificates? I couldn’t
> find relevant information in the Ganeti documentation.
> https://docs.ganeti.org/docs/ganeti/3.0/html/cluster-keys-replacement.html
Hi,
>
> I was able to renew the cluster and node certificates (server.pem and
> client.pem) by following the steps you provided, and I can now run
> gnt-cluster verify. However, it looks like some certificates still
> haven’t been renewed:
>
> •ERROR: cluster: While verifying /var/lib/ganeti/spice.pem:
> Certificate is expired (valid from 2020-12-28 12:59:55 to 2025-12-27
> 12:59:55) •ERROR: cluster: While verifying
> /var/lib/ganeti/spice-ca.pem: Certificate is expired (valid from
> 2020-12-28 12:59:55 to 2025-12-27 12:59:55)
> •ERROR: cluster: While verifying /var/lib/ganeti/rapi.pem:
> Certificate is expired (valid from 2020-12-28 12:59:55 to 2025-12-27
> 12:59:55)
>
> Could you guide me on how to renew these certificates? I couldn’t
> find relevant information in the Ganeti documentation.
> https://docs.ganeti.org/docs/ganeti/3.0/html/cluster-keys-replacement.html
You want the gnt-cluter man page in the section on the renew-crypto command. In particular the switches --new-rapi-certificate and --new-spice-certificate judging by your errors.
Ronny
--
Ronny Adsetts
Technical Director
Amazing Internet Ltd, London
t: +44 20 8977 8943
w: www.amazinginternet.com
Registered office: 85 Waldegrave Park, Twickenham, TW1 4TJ
Registered in England. Company No. 4042957
Ronny Adsetts
Jan 28, 2026, 1:06:06 PM (5 days ago) Jan 28
to 'HJ' via ganeti
'HJ' via ganeti wrote on 28/01/2026 18:03:
> gnt-cluster renew-crypto --new-rapi-certificate --new-spice-certificate did the trick.
Ha! Your reply beat mine by minutes! :-).
> gnt-cluster renew-crypto --new-rapi-certificate --new-spice-certificate did the trick.
HJ
Jan 28, 2026, 1:36:48 PM (5 days ago) Jan 28
to ganeti
I did, but I still owe you a thank-you!
Ronny Adsetts
Jan 29, 2026, 6:39:12 AM (4 days ago) Jan 29
to 'HJ' via ganeti
'HJ' via ganeti wrote on 28/01/2026 18:36:
> I did, but I still owe you a thank-you!
Not at all. I've been through the Ganeti expired certs more than once so... :-).
> I did, but I still owe you a thank-you!
Reply all
Reply to author
Forward
0 new messages