Bug 1832210

Summary: recent clients reject certificates valid for more than 825 days
Product: [oVirt] ovirt-engine Reporter: Yedidyah Bar David <didi>
Component: Setup.EngineAssignee: Sandro Bonazzola <sbonazzo>
Status: CLOSED DUPLICATE QA Contact: meital avital <mavital>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.3.6.7CC: bugs
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-07 07:08:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yedidyah Bar David 2020-05-06 10:39:35 UTC 
Description of problem:

This was originally reported in [1]. Searching bugzilla, I also see bug 1562967 (which was closed automatically, perhaps wrongly).

See also:

1. https://support.apple.com/en-us/HT210176

"TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

Connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.

Published Date: November 03, 2019"

2. https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/

This applies to public CAs. It seems to me that Apple's decision to apply this to any cert is stricter-than-needed right now, but I wouldn't be surprised if other browsers would start enforcing similar policies soon.

Currently, the certs we generate by our internal CA are:

- For the CA itself - 3650 days (10 years) [2]
- For entities signed by engine-setup (including https) - 1800 days [3][4]
- For hosts, signed by the engine itself (since 4.4) - 5 years [5]

Probably https cert is most urgent, and the rest might take years until software starts rejecting them.

[1] https://lists.ovirt.org/archives/list/users@ovirt.org/message/YNL6NSW6GP3IR7GECYE6DNPJA6H2X3RB/
[2] packaging/bin/pki-create-ca.sh:3:CA_DAYS="3650"
[3] packaging/bin/pki-enroll-request.sh:74:DAYS="1800"
[4] packaging/bin/pki-enroll-openssh-cert.sh:71:DAYS="1800"
[5] packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql:527:select fn_db_add_config_value('VdsCertificateValidityInYears','5','general');
Comment 1 Sandro Bonazzola 2020-05-07 07:08:13 UTC 
Seems a duplicate of bug #1824103

*** This bug has been marked as a duplicate of bug 1824103 ***