Bug 1263697
| Summary: | [backend] CA cert expiration checks/info cause no info about expiration of engine cert | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Jiri Belka <jbelka> | ||||||
| Component: | ovirt-engine | Assignee: | Moti Asayag <masayag> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Jiri Belka <jbelka> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 3.6.0 | CC: | gklein, lsurette, oourfali, pstehlik, rbalakri, Rhev-m-bugs, sherold, srevivo, ykaul, ylavi | ||||||
| Target Milestone: | ovirt-3.6.0-rc | ||||||||
| Target Release: | 3.6.0 | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2016-04-20 01:34:02 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 1074001 [details]
engine-ca_old-engine_old.log.gz
Same issue - when CA cert is expired it does suppress info about engine cert expiration
For #1: Steps to Reproduce: 1. when CA cert already expired it suppresses info about already expired engine cert 2. wait and observe the log Additional tests and failures: - soon expiring CA cert and soon expiring engine cert - already expired CA and soon expiring engine cert ok, rhevm-backend-3.6.0.3-0.1.el6.noarch
ad original steps:
* ca cert is about to expire + engine cert already expired
# date ; openssl x509 -in /etc/pki/ovirt-engine/certs/engine.cer -enddate \
-noout
Tue Dec 1 00:41:22 CET 2015
notAfter=Nov 22 16:59:21 2015 GMT
Dec 1, 2015 12:10:54 AM
Engine's certification has expired at 2015-11-22. Please renew the engine's
certification.
# date ; openssl x509 -in /etc/pki/ovirt-engine/ca.pem -enddate -noout
Tue Dec 1 00:41:59 CET 2015
notAfter=Dec 12 16:59:16 2015 GMT
Dec 1, 2015 12:10:54 AM
Engine's CA certification is about to expire at 2015-12-12.
ad #1:
* expired CA and expired engine cert
- ca:
# date ; openssl x509 -in /etc/pki/ovirt-engine/ca.pem -enddate -noout
Tue Dec 1 00:01:16 CET 2015
notAfter=Nov 18 17:02:35 2015 GMT
Engine's CA certification has expired at 2015-11-18.
- engine:
# date ; openssl x509 -in /etc/pki/ovirt-engine/certs/engine.cer -enddate \
-noout
Tue Dec 1 00:12:38 CET 2015
notAfter=Nov 18 17:02:39 2015 GMT
Engine's certification has expired at 2015-11-18. Please renew the engine's
certification.
ad #3:
* already expired CA and soon expiring engine cert
-ca:
# date ; openssl x509 -in /etc/pki/ovirt-engine/ca.pem -enddate -noout
Wed Nov 18 00:12:14 CET 2015
notAfter=Nov 16 16:46:23 2015 GMT
Engine's CA certification has expired at 2015-11-16.
- engine:
# date ; openssl x509 -in /etc/pki/ovirt-engine/certs/engine.cer -enddate \
-noout
Wed Nov 18 00:12:56 CET 2015
notAfter=Nov 19 16:46:27 2015 GMT
Engine's certification is about to expire at 2015-11-19. Please renew the
engine's certification.
* soon expiring CA cert and soon expiring engine cert
- ca:
# date ; openssl x509 -in /etc/pki/ovirt-engine/ca.pem -enddate -noout
Thu Nov 12 18:06:27 CET 2015
notAfter=Nov 18 17:02:35 2015 GMT
- engine:
# date ; openssl x509 -in /etc/pki/ovirt-engine/certs/engine.cer -enddate \
-noout
Thu Nov 12 18:23:22 CET 2015
notAfter=Nov 18 17:02:39 2015 GMT
Engine's certification is about to expire at 2015-11-18. Please renew the
engine's certification.
|
Created attachment 1073999 [details] engine-ca_almost-engine_old.log.gz Description of problem: - ca cert is about to expire + engine cert already expired > current date: 2025-09-01 > expire date: 2025-09-12 (ca) / 2015-09-20 (engine) (OK) 2025-09-01 14:19:04,403 WARN [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-9) [] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message\ : oVirt-engine's CA certification is about to expire at 2025-09-12. (OK) 2025-09-01 14:19:08,947 FINE [org.ovirt.engine.core.notifier.dao.EventsManager getAuditLogEvents] event 0 => AuditLogEvent:{id='20', logTypeName='ENGINE_CA_CERTIFICATION_IS_ABOUT_TO_EXPIRE', type='alertM\ essage', userId='00000000-0000-0000-0000-000000000000', userName='null', vmId='00000000-0000-0000-0000-000000000000', vmName='null', vmTemplateId='null', vmTemplateName='null', vdsId='null', vdsName='null', stor\ agePoolId='00000000-0000-0000-0000-000000000000', storagePoolName='', storageDomainId='00000000-0000-0000-0000-000000000000', storageDomainName='', logTime='2025-09-01 14:19:04.371', severity='WARNING', message=\ 'oVirt-engine's CA certification is about to expire at 2025-09-12.'} (FAIL) no info about expired engine cert! # grep '^2025.*Message:.*expir' /var/log/ovirt-engine/engine.log 2025-09-01 14:19:04,403 WARN [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-9) [] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: oVi\ rt-engine's CA certification is about to expire at 2025-09-12. # Version-Release number of selected component (if applicable): rhevm-backend-3.6.0-0.15.master.el6.noarch How reproducible: 100% Steps to Reproduce: 1. when CA cert is almost expired it suppresses info about already expired engine cert 2. wait and observe the log 3. Actual results: when CA cert is almost expired it suppresses info about already expired engine cert Expected results: the check should produce info about all certs Additional info: