Bug 1572278

Summary: After undercloud ssl certificate is updated, ca-trust is not updated automatically
Product: Red Hat OpenStack Reporter: Harry Rybacki <hrybacki>
Component: puppet-tripleoAssignee: RHOS Maint <rhos-maint>
Status: CLOSED ERRATA QA Contact: Pavan <pkesavar>
Severity: medium Docs Contact:
Priority: high    
Version: 10.0 (Newton)CC: achernet, aschultz, ftaylor, hrybacki, jjoyce, josorior, jschluet, mburns, nalmond, nkinder, rcritten, rhel-osp-director-maint, sclewis, slinaber, tvignaud
Target Milestone: betaKeywords: Triaged
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: puppet-tripleo-8.3.2-4.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1547248
: 1572280 1595876 (view as bug list) Environment:
Last Closed: 2018-06-27 13:53:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1547248, 1595876    
Bug Blocks: 1572280, 1572282    

Comment 3 Harry Rybacki 2018-04-26 15:51:34 UTC 
Upstream review located in openstack-tripleo-8.3.2. Updating fixed-in and moving bug to MODIFIED.
Comment 7 Scott Lewis 2018-04-30 14:59:49 UTC 
This item has been properly Triaged and planned for the OSP13 release, and is being tagged for tracking. For details, see https://url.corp.redhat.com/1851efd
Comment 13 Juan Antonio Osorio 2018-06-25 16:25:29 UTC 
So, certmonger should update the local CA certificate when at least one of these two things happen:

* when certmonger is restarted
* when a certificate is requested for that CA

so, the thing to verify would be that, when the certificate expires, you should restart certmonger, and then run the undercloud install again. That should update the trust of that certificate.
Comment 14 Rob Crittenden 2018-06-25 19:04:36 UTC 
The execution doesn't happen in a shell. This should be put into a script (bash, python, whatever) in /usr/libexec/<something>/<something> and set that as the post command.

You can define arguments to be passed in when setting the post-callback command.

For example:

/usr/libexec/director/renew_cert /etc/pki/tls/certs/undercloud-front.crt  /etc/pki/tls/private/undercloud-front.key /etc/pki/tls/certs/undercloud-192.168.24.2.pem
Comment 16 errata-xmlrpc 2018-06-27 13:53:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086