Bug 2138997

Summary: Default install of undercloud certificate trusts breaks after 1 year
Product: Red Hat OpenStack Reporter: David Sedgmen <dsedgmen>
Component: openstack-tripleo-heat-templatesAssignee: David Sedgmen <dsedgmen>
Status: NEW --- QA Contact: Joe H. Rahme <jhakimra>
Severity: low Docs Contact:
Priority: low    
Version: 17.0 (Wallaby)CC: alee, dwilde, mburns
Target Milestone: zstreamKeywords: Triaged
Target Release: ---Flags: ifrangs: needinfo? (dsedgmen)
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Sedgmen 2022-10-31 23:17:12 UTC 
Description of problem:

Default install of undercloud will break after 1 year, because of how local certificate generation is handled


How reproducible: 
Will happen if an undercloud install is not run for about a year


Actual results:

undercloud cli command will throw a certificate trust error after a year


Expected results:

The undercloud server certificate to be trusted by the director


Additional info:

There is a fix upstream for train for this issue in puppet-tripleo
https://review.opendev.org/c/openstack/puppet-tripleo/+/855310

And downstream bug 
https://bugzilla.redhat.com/show_bug.cgi?id=2104546

But this fix would need to be refactored for any release from wabbly onwards, as the certmonger post-save renewal script was moved from puppet-tripleo to tripleo-ansible in wallaby.