Bug 1258021

Summary: [engine] already expired CA cert is detected as about to expire
Product: Red Hat Enterprise Virtualization Manager Reporter: Jiri Belka <jbelka>
Component: ovirt-engineAssignee: Moti Asayag <masayag>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Belka <jbelka>
Severity: high Docs Contact:
Priority: high    
Version: 3.6.0CC: gklein, lsurette, oourfali, pstehlik, rbalakri, Rhev-m-bugs, srevivo, ykaul
Target Milestone: ovirt-3.6.0-rc   
Target Release: 3.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 3.6.0-12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-20 01:36:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jiri Belka 2015-08-28 16:35:29 UTC 
Description of problem:

same issue as for engine cert, BZ1257981

[root@jb-bz1 ~]# date
Tue Aug 28 18:30:00 CEST 2018
[root@jb-bz1 ~]# openssl x509 -in /etc/pki/ovirt-engine/ca.pem -startdate -enddate -noout
notBefore=Aug 27 15:59:22 2015 GMT
notAfter=May 24 15:59:22 2018 GMT

[root@jb-bz1 ~]# grep 'CA certification' /var/log/ovirt-engine/engine.log 
2018-08-28 18:24:24,151 WARN  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-7) [] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: oVirt-engine's CA certification is about to expire at 2018-05-24.

Version-Release number of selected component (if applicable):
rhevm-backend-3.6.0-0.12.master.el6.noarch

How reproducible:
100%

Steps to Reproduce:
1. install rhevm, engine-setup, stop all ovirt related daemons (incl DB)
2. change time to have expired CA cert
3. start DB, engine

Actual results:
expired CA certs is detected as not expired but about to expire

Expected results:
oVirt-engine's CA certification has expired at ${ExpirationDate}.

Additional info:
imo it's a condition issue somewhere as BZ1257981 is similar, check with that
Comment 1 Jiri Belka 2015-09-16 14:28:36 UTC 
ok, rhevm-backend-3.6.0-0.15.master.el6.noarch

  > current date: 2015-10-06
  > expire date:  2015-10-05

(OK) 2015-10-06 11:05:57,913 WARN  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-11) [] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Messag\
e: oVirt-engine's CA certification has expired at 2015-10-05.

(Also tested in combination with expiring or already expired engine cert - ovirt CA cert info was always OK but engine certs info got suppressed - https://bugzilla.redhat.com/show_bug.cgi?id=1263697)