Bug 1258021 - [engine] already expired CA cert is detected as about to expire
[engine] already expired CA cert is detected as about to expire
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine (Show other bugs)
3.6.0
Unspecified Unspecified
high Severity high
: ovirt-3.6.0-rc
: 3.6.0
Assigned To: Moti Asayag
Jiri Belka
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-28 12:35 EDT by Jiri Belka
Modified: 2016-04-19 21:36 EDT (History)
8 users (show)

See Also:
Fixed In Version: 3.6.0-12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-04-19 21:36:31 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 45689 master MERGED engine: Log proper log type per expiration event Never
oVirt gerrit 45690 ovirt-engine-3.6 MERGED engine: Log proper log type per expiration event Never

  None (edit)
Description Jiri Belka 2015-08-28 12:35:29 EDT
Description of problem:

same issue as for engine cert, BZ1257981

[root@jb-bz1 ~]# date
Tue Aug 28 18:30:00 CEST 2018
[root@jb-bz1 ~]# openssl x509 -in /etc/pki/ovirt-engine/ca.pem -startdate -enddate -noout
notBefore=Aug 27 15:59:22 2015 GMT
notAfter=May 24 15:59:22 2018 GMT

[root@jb-bz1 ~]# grep 'CA certification' /var/log/ovirt-engine/engine.log 
2018-08-28 18:24:24,151 WARN  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-7) [] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: oVirt-engine's CA certification is about to expire at 2018-05-24.

Version-Release number of selected component (if applicable):
rhevm-backend-3.6.0-0.12.master.el6.noarch

How reproducible:
100%

Steps to Reproduce:
1. install rhevm, engine-setup, stop all ovirt related daemons (incl DB)
2. change time to have expired CA cert
3. start DB, engine

Actual results:
expired CA certs is detected as not expired but about to expire

Expected results:
oVirt-engine's CA certification has expired at ${ExpirationDate}.

Additional info:
imo it's a condition issue somewhere as BZ1257981 is similar, check with that
Comment 1 Jiri Belka 2015-09-16 10:28:36 EDT
ok, rhevm-backend-3.6.0-0.15.master.el6.noarch

  > current date: 2015-10-06
  > expire date:  2015-10-05

(OK) 2015-10-06 11:05:57,913 WARN  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-11) [] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Messag\
e: oVirt-engine's CA certification has expired at 2015-10-05.

(Also tested in combination with expiring or already expired engine cert - ovirt CA cert info was always OK but engine certs info got suppressed - https://bugzilla.redhat.com/show_bug.cgi?id=1263697)

Note You need to log in before you can comment on or make changes to this bug.