Bug 1906320

Summary: Recreate engine HTTPS certificate in engine-setup during upgrade when certificate validity period is longer than 398 days
Product: [oVirt] ovirt-engine Reporter: Krist van Besien <kvanbesi>
Component: Setup.EngineAssignee: Dana <delfassy>
Status: CLOSED CURRENTRELEASE QA Contact: Petr Matyáš <pmatyas>
Severity: medium Docs Contact:
Priority: high    
Version: 4.4.3.12CC: bugs, gdeolive, mperina
Target Milestone: ovirt-4.4.5Keywords: Reopened
Target Release: ---Flags: pm-rhel: ovirt-4.4+
gdeolive: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.4.5.7 Doc Type: Release Note
Doc Text:
Up until 4.4.5 RHV Manager HTTPS certificates were valid for 5 years. Due to recent efforts to reduce certificate lifetime [1] engine certificates validity was reduced to 398 days. This change doesn't affect existing setup, but when running a new engine-setup engine's certificates will be verified to be valid for 398 days. If they are valid for a longer period, the user will be asked to renew certificates. [1] https://www.thesslstore.com/blog/ssl-certificate-validity-will-be-limited-to-one-year-by-apples-safari-browser/
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-18 15:12:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Krist van Besien 2020-12-10 09:22:32 UTC 
Description of problem:

When running engine-setup it should detect if a certificate has a to long validity that would cause it to be rejected by modern brosers.

Version-Release number of selected component (if applicable):

ovirt-engine-setup-base-4.4.3.12-0.1.el8ev.noarch

How reproducible:

Always

Steps to Reproduce:

Conditions: 
 cluster in global maintenance
 engine and other certificates have a validity longer than 397 days

1. run engine-setup
2. accept default answers everywhere.


Actual results:

snegine-setup does not offer to renew the certificates.


setup runs without issues, but without offering to replace certificates.

Expected results:

setup runs without issues, and offers to replace the certificates.


Additional info:

See https://access.redhat.com/solutions/2985561 where it is suggested that engine-setup should be doing this.
Comment 1 Martin Perina 2020-12-10 12:50:27 UTC 
engine-setup regenerates engine and CA certificate only if:

1. The CA or engine certificate is expired
2. engine certificate has invalid SAN record

If customers are upgrading from previous installation, we are not considering renewal of certificates which were created with longer validity period than 398 days (more info in BZ1824103).

Anyway for production environments it's highly recommended to replace default RHV Manager HTTPS certificate with custom certificate signed by proper certication authority as described in https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_CA_Certificate
Comment 2 Martin Perina 2020-12-10 14:30:35 UTC 
OK, reopening after offline discussion
Comment 3 Petr Matyáš 2021-03-02 17:32:32 UTC 
Verified on ovirt-engine-setup-4.4.5.7-0.1.el8ev.noarch

As per hitting this question during upgrade I guess it should have been ON_QA some time ago.
Comment 4 Sandro Bonazzola 2021-03-18 15:12:44 UTC 
This bugzilla is included in oVirt 4.4.5 release, published on March 18th 2021.

Since the problem described in this bug report should be resolved in oVirt 4.4.5 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.