Bug 2096862

Summary: Certificate Warn period and automatic renewal via engine-setup do not match
Product: [oVirt] ovirt-engine Reporter: Klaas Demter <klaas>
Component: Setup.EngineCommonAssignee: Milan Zamazal <mzamazal>
Status: CLOSED DUPLICATE QA Contact: Pavol Brilla <pbrilla>
Severity: high Docs Contact:
Priority: high    
Version: 4.5.0.7CC: ahadas, bugs, dfodor, emarcus, gdeolive, matonb, mperina
Target Milestone: ovirt-4.5.2Flags: mperina: ovirt-4.5+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.5.2 Doc Type: Bug Fix
Doc Text:
Previously, the Manager issued warnings about approaching certificate expiration before the engine-setup could update the certificates. With this release, the warning and update periods are aligned and certificates can be updated as soon as the warnings about their upcoming expiration occur.
 Story Points: ---
Clone Of:
: 2097725 (view as bug list) Environment:
Last Closed: 2022-08-30 08:47:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2097725    

Description Klaas Demter 2022-06-14 12:52:48 UTC 
Description of problem:
Currently I am receiving warnings that my engine/apache certificates are about to expire. I would expect them to be renewed via engine-setup --offline but that does not happen.

I am not sure if the warn period of 365 days is a good idea though, that means the web certificates are almost always in warn period because they are only valid for 398 days.

Maybe we need a 2nd warn period for the short-lived certs of 60 days to fit the engine-setup renewal setting.


Version-Release number of selected component (if applicable):
ovirt-engine-setup-4.5.0.7-0.9.el8ev.noarch


How reproducible:
Have a cert that is about to expire (in my case in ~3 months). See that the engine is warning about the validity, but engine-setup does not create new certs (or resigns the old ones).

openssl x509 -dates -subject -issuer -noout -in /etc/pki/ovirt-engine/certs/apache.cer
notBefore=Aug 10 09:21:26 2021 GMT
notAfter=Sep 13 09:21:26 2022 GMT


openssl x509 -dates -subject -issuer -noout -in /etc/pki/ovirt-engine/certs/engine.cer
notBefore=Aug 10 09:19:39 2021 GMT
notAfter=Sep 13 09:19:39 2022 GMT


openssl x509 -dates -subject -issuer -noout -in /etc/pki/ovirt-engine/ca.pem
notBefore=Apr 22 19:11:59 2021 GMT
notAfter=Apr 21 19:11:59 2031 GMT


Steps to Reproduce:
1. have cert that is about to expire in ~90 days
2. see message in manager webui
3. run engine-setup --offline


Actual results:
Certs still about to expire in ~90 days

Expected results:
Certs will be renewed


Additional info:
I am guessing this is because of the values here:
CertExpirationWarnPeriodInDays (default: https://github.com/oVirt/ovirt-engine/blob/aae60b369fc1dc0213def1bfbf0ab247683ccc5c/packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql#L867 )

period before renewal 60 days hardcoded ( https://github.com/oVirt/ovirt-engine/blob/master/packaging/setup/ovirt_engine_setup/engine_common/pki_utils.py#L65 )
Comment 1 Klaas Demter 2022-06-14 13:08:24 UTC 
Could be related to the changes from https://bugzilla.redhat.com/show_bug.cgi?id=2079890
Comment 2 RHEL Program Management 2022-06-16 08:41:48 UTC 
The documentation text flag should only be set after 'doc text' field is provided. Please provide the documentation text and set the flag to '?' again.
Comment 4 Milan Zamazal 2022-06-22 19:06:15 UTC 
> I am not sure if the warn period of 365 days is a good idea though, that means the web certificates are almost always in warn period because they are only valid for 398 days.

I think the 365 days warning period applies only to the CA, Engine (the non-web one) and host certificates. Do you get so early warnings for other certificates?
Comment 5 Klaas Demter 2022-06-22 21:04:58 UTC 
(In reply to Milan Zamazal from comment #4)
> > I am not sure if the warn period of 365 days is a good idea though, that means the web certificates are almost always in warn period because they are only valid for 398 days.
> 
> I think the 365 days warning period applies only to the CA, Engine (the
> non-web one) and host certificates. Do you get so early warnings for other
> certificates?

I think you are right about it only warning about the engine cert, not the apache cert. But they are both short lived:
openssl x509 -dates -subject -issuer -noout -in /etc/pki/ovirt-engine/certs/apache.cer
notBefore=Aug 10 09:21:26 2021 GMT
notAfter=Sep 13 09:21:26 2022 GMT


openssl x509 -dates -subject -issuer -noout -in /etc/pki/ovirt-engine/certs/engine.cer
notBefore=Aug 10 09:19:39 2021 GMT
notAfter=Sep 13 09:19:39 2022 GMT

I just assumed it was talking about both of them because they have the same enddate :) But the warning states "Engine's certification is about to expire at 2022-09-13. Please renew the engine's certification."

but basically I'd say as a customer I would want the following outcome:
a) Do not warn about the certs until I should react, so a couple of months should be fine for all of them; 365 days is definitely too long for a cert that has a lifespan of 398 days 
b) I want warnings about all relevant certs, including the apache one
c) as soon as you're getting warnings about them a engine-setup should renew those certs
Comment 6 Milan Zamazal 2022-06-23 07:31:28 UTC 
> But they are both short lived:

The life of the Engine certificate was extended to 5 years in 4.5.1. Once you renew it, you shouldn't be bothered by its next renewal for 4 years.

> but basically I'd say as a customer I would want the following outcome:
> a) Do not warn about the certs until I should react, so a couple of months should be fine for all of them; 365 days is definitely too long for a cert that has a lifespan of 398 days 

This should be satisfied in 4.5.1.

> b) I want warnings about all relevant certs, including the apache one

Would you like to file a separate bug about this? While it is related, it is a different issue that would be easier to handle separately.

> c) as soon as you're getting warnings about them a engine-setup should renew those certs

This should be fixed by the proposed patch here. Although only if the default warning period is not changed; but with the changed lifespans in 4.5.1, there should be usually no reason to change it.
Comment 7 Milan Zamazal 2022-06-28 08:25:03 UTC 
*** Bug 2093954 has been marked as a duplicate of this bug. ***
Comment 8 Pavol Brilla 2022-08-10 19:45:49 UTC 
Once I got message in engine about expirity ( >200 days ), engine-setup regenerated certs.


Version RHV 4.4 SP1 [ovirt-engine-4.5.2-0.3.el8ev]
Comment 9 Sandro Bonazzola 2022-08-30 08:47:42 UTC 
This bugzilla is included in oVirt 4.5.2 release, published on August 10th 2022.
Since the problem described in this bug report should be resolved in oVirt 4.5.2 release, it has been closed with a resolution of CURRENT RELEASE.
If the solution does not work for you, please open a new bug report.
Comment 10 Eli Marcus 2022-09-08 18:14:12 UTC 

*** This bug has been marked as a duplicate of bug 2097725 ***