Bug 2097725

Summary: Certificate Warn period and automatic renewal via engine-setup do not match
Product: Red Hat Enterprise Virtualization Manager Reporter: Ulhas Surse <usurse>
Component: ovirt-engineAssignee: Milan Zamazal <mzamazal>
Status: CLOSED ERRATA QA Contact: Pavol Brilla <pbrilla>
Severity: high Docs Contact:
Priority: high    
Version: 4.5.0CC: ahadas, arsene.gschwind, bcholler, bugs, delfassy, dfodor, emarcus, klaas, lleistne, lsvaty, mperina
Target Milestone: ovirt-4.5.2   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.5.2 Doc Type: Bug Fix
Doc Text:
Previously, the Manager issued warnings about approaching certificate expiration before engine-setup could update the certificates. In this release the expiration warning and certificate update periods are aligned, and certificates are updated as soon as the warnings about their upcoming expiration occur.
 Story Points: ---
Clone Of: 2096862 Environment:
Last Closed: 2022-09-08 11:28:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2096862    
Bug Blocks:    

Description Ulhas Surse 2022-06-16 12:10:22 UTC 
+++ This bug was initially created as a clone of Bug #2096862 +++

Description of problem:
Currently I am receiving warnings that my engine/apache certificates are about to expire. I would expect them to be renewed via engine-setup --offline but that does not happen.

I am not sure if the warn period of 365 days is a good idea though, that means the web certificates are almost always in warn period because they are only valid for 398 days.

Maybe we need a 2nd warn period for the short-lived certs of 60 days to fit the engine-setup renewal setting.


Version-Release number of selected component (if applicable):
ovirt-engine-setup-4.5.0.7-0.9.el8ev.noarch


How reproducible:
Have a cert that is about to expire (in my case in ~3 months). See that the engine is warning about the validity, but engine-setup does not create new certs (or resigns the old ones).

openssl x509 -dates -subject -issuer -noout -in /etc/pki/ovirt-engine/certs/apache.cer
notBefore=Aug 10 09:21:26 2021 GMT
notAfter=Sep 13 09:21:26 2022 GMT


openssl x509 -dates -subject -issuer -noout -in /etc/pki/ovirt-engine/certs/engine.cer
notBefore=Aug 10 09:19:39 2021 GMT
notAfter=Sep 13 09:19:39 2022 GMT


openssl x509 -dates -subject -issuer -noout -in /etc/pki/ovirt-engine/ca.pem
notBefore=Apr 22 19:11:59 2021 GMT
notAfter=Apr 21 19:11:59 2031 GMT


Steps to Reproduce:
1. have cert that is about to expire in ~90 days
2. see message in manager webui
3. run engine-setup --offline


Actual results:
Certs still about to expire in ~90 days

Expected results:
Certs will be renewed


Additional info:
I am guessing this is because of the values here:
CertExpirationWarnPeriodInDays (default: https://github.com/oVirt/ovirt-engine/blob/aae60b369fc1dc0213def1bfbf0ab247683ccc5c/packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql#L867 )

period before renewal 60 days hardcoded ( https://github.com/oVirt/ovirt-engine/blob/master/packaging/setup/ovirt_engine_setup/engine_common/pki_utils.py#L65 )

--- Additional comment from Klaas Demter on 2022-06-14 13:08:24 UTC ---

Could be related to the changes from https://bugzilla.redhat.com/show_bug.cgi?id=2079890

--- Additional comment from RHEL Program Management on 2022-06-16 08:41:48 UTC ---

The documentation text flag should only be set after 'doc text' field is provided. Please provide the documentation text and set the flag to '?' again.
Comment 4 Pavol Brilla 2022-08-10 19:46:45 UTC 
Once I got message in engine about expirity ( >200 days ), engine-setup regenerated certs.


Version RHV 4.4 SP1 [ovirt-engine-4.5.2-0.3.el8ev]
Comment 8 errata-xmlrpc 2022-09-08 11:28:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: RHV Manager (ovirt-engine) [ovirt-4.5.2] bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:6393
Comment 9 Eli Marcus 2022-09-08 18:14:12 UTC 
*** Bug 2096862 has been marked as a duplicate of this bug. ***