Bug 1700511

Summary: certmonger local not honoring validity_period in '/etc/certmonger/certmonger.conf
Product: Red Hat Enterprise Linux 7 Reporter: Pavan <pkesavar>
Component: certmongerAssignee: Rob Crittenden <rcritten>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 7.6CC: ggrasza, hrybacki, jjoyce, jschluet, nalin, pvoborni, slinaber, tvignaud
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-03 17:09:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1595876, 1700520    

Description Pavan 2019-04-16 18:48:30 UTC 
Description of problem:

On an undercloud SSL enabled Red Hat OpenStack platform, both certmonger local CA cert and undercloud SSL cert managed by certmonger expires in 1 year. Hence, on undercloud SSL cert renewal, the local CA cert also expires at the same time causing openstack services to become unavailable. 

The local CA does not honor changing the validity_period = 1y beyond its default value seen.

undercloud file location - '/etc/certmonger/certmonger.conf'

# This is the certmonger configuration file.  The format is a rather basic
# INI-style file.  See certmonger.conf(5) for notes about individual settings.
# · initial whitespace is ignored
# · whitespace between the key name and "=" is ignored
# · whitespace after "=" is ignored
# · trailing whitespace after values is ignored
# · comments begin with "#"
# · keys and section names are case-sensitive
# · there is no end-of-line continuation
#
# [defaults]
# notification_method = syslog
# notification_destination = daemon.notice
#
# [selfsign]
# validity_period = 1y
#
# [local]
# validity_period = 1y
#


Version-Release number of selected component (if applicable):
Red Hat OpenStack PLatform OSP-13



How reproducible:


Steps to Reproduce:
1. Change [local] validity_period = 3y in /etc/certmonger/certmonger.conf on undercloud node.
2. Deploy undercloud stack
3. Use below command to verify local ca cert expiry date set to 3 years
openssl x509 -in /etc/pki/ca-trust/source/anchors/cm-local-ca.pem -noout -text

Actual results:
local ca cert has expiry period 1 year


Expected results:
local ca cert has expiry period 3 years



Additional info:
Previously verified in RHOSP-13 with core_puddle_version 2019-04-10.1
Comment 3 Rob Crittenden 2019-05-01 19:39:31 UTC 
The local CA doesn't use /etc for configuration. It uses configuration on a "per-session" basis and is really intended as a per-user CA for development AFAICT, by the user running certmonger directly. The docs refer to it multiple times as a "toy". The local CA is very much still a work in process though I should point out that upstream is not currently working, and has not worked on this in years.

When running as root certmonger looks for the configuration in /run/certmonger/.config/certmonger/certmonger.conf. So one workaround would be to drop a file in there before starting certmonger for the first time, or removing the local CA, create the file and restart certmonger.

# cat /run/certmonger/.config/certmonger/certmonger.conf
[local]
validity_period = 2y
# systemctl stop certmonger
# rm -f /var/lib/certmonger/local/*
# systemctl start certmonger

To confirm that the cert was issued two years from now:

# openssl pkcs12 -info -in  /var/lib/certmonger/local/creds -nokeys -password pass:'' | openssl x509 -text | grep 'Not After :'
MAC: sha1, Iteration 1
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
            Not After : May  1 19:18:19 2021 GMT