Should i copy /var/www/miq/vmdb/certs/v2_key on a new independant appliance?

We want to make a lab : that is , an independant appliance for dev . We have imported production automation code from production environment but it looks like encrypted password can’t be decrypted:

running raised exception: can not decrypt v2_key encrypted string

So should we replace the lab key with the production key? /var/www/miq/vmdb/certs/v2_key?

FYI lab is docker CF 4.2.

Regards.
Gaétan.

Yes copying the v2 key from prod will allow you to decrypt password. Same is needed if you want to import database data from prod.
Otherwise, you need to edit your automatation instance to put password again on dev, and you will need to do that each time you do an import from prod.

i have imported the production key, renamed it v2_key.prod.

then did: bundle exec ruby tools/fix_auth.rb --legacy-key=v2_key.prod

results:

/var/www/miq/vmdb/gems/pending/util/miq-password.rb:39:in rescue in decrypt': can not decrypt v2_key encrypted string (MiqPassword::MiqPasswordError) from /var/www/miq/vmdb/gems/pending/util/miq-password.rb:36:indecrypt’
from /var/www/miq/vmdb/gems/pending/util/miq-password.rb:55:in rescue in recrypt' from /var/www/miq/vmdb/gems/pending/util/miq-password.rb:47:inrecrypt’
from /var/www/miq/vmdb/tools/fix_auth/auth_model.rb:33:in recrypt' from /var/www/miq/vmdb/tools/fix_auth/auth_model.rb:46:inblock in fix_passwords’
from /var/www/miq/vmdb/tools/fix_auth/auth_model.rb:44:in each' from /var/www/miq/vmdb/tools/fix_auth/auth_model.rb:44:infix_passwords’
from /var/www/miq/vmdb/tools/fix_auth/auth_model.rb:85:in block in run' from /opt/rh/cfme-gemset/gems/activerecord-5.0.3/lib/active_record/relation/delegation.rb:40:ineach’
from /opt/rh/cfme-gemset/gems/activerecord-5.0.3/lib/active_record/relation/delegation.rb:40:in each' from /var/www/miq/vmdb/tools/fix_auth/auth_model.rb:84:inrun’
from /var/www/miq/vmdb/tools/fix_auth/fix_auth.rb:65:in block (2 levels) in fix_database_passwords' from /var/www/miq/vmdb/tools/fix_auth/fix_auth.rb:64:ineach’
from /var/www/miq/vmdb/tools/fix_auth/fix_auth.rb:64:in block in fix_database_passwords' from /var/www/miq/vmdb/tools/fix_auth/fix_auth.rb:61:ineach’
from /var/www/miq/vmdb/tools/fix_auth/fix_auth.rb:61:in fix_database_passwords' from /var/www/miq/vmdb/tools/fix_auth/fix_auth.rb:92:inrun’
from /var/www/miq/vmdb/tools/fix_auth/cli.rb:37:in run' from /var/www/miq/vmdb/tools/fix_auth/cli.rb:41:inrun’
from tools/fix_auth.rb:26:in `’

is there another method?

You need to recreate DB using this key cause now you have password encrypted with v2_key.prod and database data encrypted using v2_key from your lab.
When installing lab, before creating DB, you must copy v2_key from prod instead of generating a new one. It should work.
(In my case dev DB has been created using a prod export)

Good day @gquentin.

I have a similar problem with the v2_key (i.e. same errors). Did the proposal from LorkScorguar worked?

I haven’t tried : i do not want to recreate the database. I would like to convert it.

@gquentin You should be able to alter the passwords in database.yml using fix_auth’s -y option.

See my response to @codebeaver22’s question here

It works:

  • stopping evm server
  • replacing the key with the prod one
  • bundle exec ruby tools/fix_auth.rb -v -y
  • bundle exec ruby tools/fix_auth.rb -v -p smartvm -P smartvm -i smartvm
  • bundle exec ruby tools/fix_auth.rb -v -y
  • starting evm

Regards.

First, thank you @gquentin, @codebeaver22, @carbonin for documenting your experience and the steps that resolved this problem for you. I tried following your steps carefully, but get the following errors when I try to start the evm server from the appliance_console:

`

Job for evmserverd.service failed because the control process exited with error code. See “systemctl status evmserverd.service” and “journalctl -xe” for details.

`

When I run systemctl status evmserverd.service did not return any errors

When I run journalctl -xe I get: (trimmed this, it was long)


-- Unit evmserverd.service has begun starting up.

Aug 31 13:26:59 miq-dev.chq.ei sh[3642]: rake aborted!

Aug 31 13:26:59 miq-dev.chq.ei sh[3642]: PG::ConnectionBad: FATAL: password authentication failed for user "root"

Aug 31 13:26:59 miq-dev.chq.ei sh[3642]: FATAL: no pg_hba.conf entry for host "::1", user "root", database "vmdb_production", SSL off

Aug 31 13:26:59 miq-dev.chq.ei systemd[1]: Failed to start EVM server daemon.

-- Subject: Unit evmserverd.service has failed

-- Unit evmserverd.service has failed.

Aug 31 13:26:59 miq-dev.chq.ei systemd[1]: Unit evmserverd.service entered failed state.

Am I right in guessing that the credential for root was encrypted using the old v2_key so now it’s not able to authenticate with the db? Any tips on how to resolve?

I wanted to post my solution. My mistake is in how I updated pg_hba.conf to accept connections.

The following enabled a connection for this standalone app+db development server:

host   vmdb_production   root  ::1  trust