Bug 2079890

Summary: renew certificates sooner before they expire
Product: [oVirt] ovirt-engine Reporter: Michal Skrivanek <michal.skrivanek>
Component: GeneralAssignee: Milan Zamazal <mzamazal>
Status: CLOSED CURRENTRELEASE QA Contact: Petr Kubica <pkubica>
Severity: high Docs Contact:
Priority: unspecified    
Version: ---CC: bugs, lsvaty, mkalinin, pkubica
Target Milestone: ovirt-4.5.0-1Flags: pm-rhel: ovirt-4.5?
lsvaty: exception+
Target Release: 4.5.0.7   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.5.0.7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-30 06:42:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2075352    

Description Michal Skrivanek 2022-04-28 12:47:26 UTC
IIUC we currently renew certificates that are due to expire
60 days in advance during engine-setup for engine certs and CA
30 days (vdc_option CertExpirationAlertPeriodInDays) for host certs (during Host Upgrade)

We can renew sooner than that (with bz# 2079835, bz# 2079799), a 365 days in advance, to make sure that we don't get into a situation that certificates expire when there are no host upgrades available. Since our current validity is 13 months this will make sure that practically all these certs are reissued the first time this changed code runs.

Comment 1 Petr Kubica 2022-05-25 20:55:20 UTC
engine-setup: (after 1 year when engine certificates are about to expire)
- One or more of the certificates should be renewed, because they expire soon, or include an invalid expiry date, or they were created with validity period longer than 398 days, or do not include the subjectAltName extension, which can cause them to be rejected by recent browsers and up to date hosts.

host-upgrade:
during enrolling certificates or host upgrade, relevant certificates were renewed
- new certificates have additional 5 years of validity.

Verified in ovirt-engine-4.5.0.7-0.9.el8ev.noarch