Bug 1263697 - [backend] CA cert expiration checks/info cause no info about expiration of engine cert
[backend] CA cert expiration checks/info cause no info about expiration of en...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine (Show other bugs)
3.6.0
Unspecified Unspecified
medium Severity medium
: ovirt-3.6.0-rc
: 3.6.0
Assigned To: Moti Asayag
Jiri Belka
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-16 08:42 EDT by Jiri Belka
Modified: 2016-04-19 21:34 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-04-19 21:34:02 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
engine-ca_almost-engine_old.log.gz (133.37 KB, application/x-gzip)
2015-09-16 08:42 EDT, Jiri Belka
no flags Details
engine-ca_old-engine_old.log.gz (151.44 KB, application/x-gzip)
2015-09-16 09:09 EDT, Jiri Belka
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 46286 master NEW engine: Log engine's CA certification expiration Never

  None (edit)
Description Jiri Belka 2015-09-16 08:42:03 EDT
Created attachment 1073999 [details]
engine-ca_almost-engine_old.log.gz

Description of problem:

- ca cert is about to expire + engine cert already expired

  > current date: 2025-09-01
  > expire date:  2025-09-12 (ca) / 2015-09-20 (engine)

(OK) 2025-09-01 14:19:04,403 WARN  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-9) [] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message\
: oVirt-engine's CA certification is about to expire at 2025-09-12.

(OK) 2025-09-01 14:19:08,947 FINE    [org.ovirt.engine.core.notifier.dao.EventsManager getAuditLogEvents] event 0 => AuditLogEvent:{id='20', logTypeName='ENGINE_CA_CERTIFICATION_IS_ABOUT_TO_EXPIRE', type='alertM\
essage', userId='00000000-0000-0000-0000-000000000000', userName='null', vmId='00000000-0000-0000-0000-000000000000', vmName='null', vmTemplateId='null', vmTemplateName='null', vdsId='null', vdsName='null', stor\
agePoolId='00000000-0000-0000-0000-000000000000', storagePoolName='', storageDomainId='00000000-0000-0000-0000-000000000000', storageDomainName='', logTime='2025-09-01 14:19:04.371', severity='WARNING', message=\
'oVirt-engine's CA certification is about to expire at 2025-09-12.'}

(FAIL) no info about expired engine cert!

# grep '^2025.*Message:.*expir' /var/log/ovirt-engine/engine.log
2025-09-01 14:19:04,403 WARN  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-9) [] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: oVi\
rt-engine's CA certification is about to expire at 2025-09-12.
#

Version-Release number of selected component (if applicable):
rhevm-backend-3.6.0-0.15.master.el6.noarch

How reproducible:
100%

Steps to Reproduce:
1. when CA cert is almost expired it suppresses info about already
   expired engine cert
2. wait and observe the log
3.

Actual results:
when CA cert is almost expired it suppresses info about already expired engine cert

Expected results:
the check should produce info about all certs

Additional info:
Comment 1 Jiri Belka 2015-09-16 09:09:07 EDT
Created attachment 1074001 [details]
engine-ca_old-engine_old.log.gz

Same issue - when CA cert is expired it does suppress info about engine cert expiration
Comment 2 Jiri Belka 2015-09-16 09:11:49 EDT
For #1:

Steps to Reproduce:
1. when CA cert already expired it suppresses info about already
   expired engine cert
2. wait and observe the log
Comment 3 Jiri Belka 2015-09-16 10:24:24 EDT
Additional tests and failures:

- soon expiring CA cert and soon expiring engine cert
- already expired CA and soon expiring engine cert
Comment 4 Jiri Belka 2015-11-13 12:09:01 EST
ok, rhevm-backend-3.6.0.3-0.1.el6.noarch


ad original steps:

   * ca cert is about to expire + engine cert already expired

     # date ; openssl x509 -in /etc/pki/ovirt-engine/certs/engine.cer -enddate \
       -noout
     Tue Dec  1 00:41:22 CET 2015
     notAfter=Nov 22 16:59:21 2015 GMT
     
     Dec 1, 2015 12:10:54 AM
     Engine's certification has expired at 2015-11-22. Please renew the engine's 
     certification.
	
     # date ; openssl x509 -in /etc/pki/ovirt-engine/ca.pem -enddate -noout
     Tue Dec  1 00:41:59 CET 2015
     notAfter=Dec 12 16:59:16 2015 GMT

     Dec 1, 2015 12:10:54 AM
     Engine's CA certification is about to expire at 2015-12-12.


ad #1:

   * expired CA and expired engine cert

   - ca:
     # date ; openssl x509 -in /etc/pki/ovirt-engine/ca.pem -enddate -noout
     Tue Dec  1 00:01:16 CET 2015
     notAfter=Nov 18 17:02:35 2015 GMT

     Engine's CA certification has expired at 2015-11-18.
     
   - engine:
     # date ; openssl x509 -in /etc/pki/ovirt-engine/certs/engine.cer -enddate \
       -noout
     Tue Dec  1 00:12:38 CET 2015
     notAfter=Nov 18 17:02:39 2015 GMT
     
     Engine's certification has expired at 2015-11-18. Please renew the engine's 
     certification.

ad #3:

   * already expired CA and soon expiring engine cert

   -ca:

   # date ; openssl x509 -in /etc/pki/ovirt-engine/ca.pem -enddate -noout
   Wed Nov 18 00:12:14 CET 2015
   notAfter=Nov 16 16:46:23 2015 GMT

   Engine's CA certification has expired at 2015-11-16.
	
   - engine:

   # date ; openssl x509 -in /etc/pki/ovirt-engine/certs/engine.cer -enddate \
     -noout
   Wed Nov 18 00:12:56 CET 2015
   notAfter=Nov 19 16:46:27 2015 GMT

   Engine's certification is about to expire at 2015-11-19. Please renew the 
   engine's certification.

   * soon expiring CA cert and soon expiring engine cert

   - ca:
     # date ; openssl x509 -in /etc/pki/ovirt-engine/ca.pem -enddate -noout
     Thu Nov 12 18:06:27 CET 2015
     notAfter=Nov 18 17:02:35 2015 GMT


   - engine:
     # date ; openssl x509 -in /etc/pki/ovirt-engine/certs/engine.cer -enddate \
       -noout
     Thu Nov 12 18:23:22 CET 2015
     notAfter=Nov 18 17:02:39 2015 GMT

     Engine's certification is about to expire at 2015-11-18. Please renew the 
     engine's certification.

Note You need to log in before you can comment on or make changes to this bug.