Created attachment 1073999 [details] engine-ca_almost-engine_old.log.gz Description of problem: - ca cert is about to expire + engine cert already expired > current date: 2025-09-01 > expire date: 2025-09-12 (ca) / 2015-09-20 (engine) (OK) 2025-09-01 14:19:04,403 WARN [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-9) [] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message\ : oVirt-engine's CA certification is about to expire at 2025-09-12. (OK) 2025-09-01 14:19:08,947 FINE [org.ovirt.engine.core.notifier.dao.EventsManager getAuditLogEvents] event 0 => AuditLogEvent:{id='20', logTypeName='ENGINE_CA_CERTIFICATION_IS_ABOUT_TO_EXPIRE', type='alertM\ essage', userId='00000000-0000-0000-0000-000000000000', userName='null', vmId='00000000-0000-0000-0000-000000000000', vmName='null', vmTemplateId='null', vmTemplateName='null', vdsId='null', vdsName='null', stor\ agePoolId='00000000-0000-0000-0000-000000000000', storagePoolName='', storageDomainId='00000000-0000-0000-0000-000000000000', storageDomainName='', logTime='2025-09-01 14:19:04.371', severity='WARNING', message=\ 'oVirt-engine's CA certification is about to expire at 2025-09-12.'} (FAIL) no info about expired engine cert! # grep '^2025.*Message:.*expir' /var/log/ovirt-engine/engine.log 2025-09-01 14:19:04,403 WARN [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-9) [] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: oVi\ rt-engine's CA certification is about to expire at 2025-09-12. # Version-Release number of selected component (if applicable): rhevm-backend-3.6.0-0.15.master.el6.noarch How reproducible: 100% Steps to Reproduce: 1. when CA cert is almost expired it suppresses info about already expired engine cert 2. wait and observe the log 3. Actual results: when CA cert is almost expired it suppresses info about already expired engine cert Expected results: the check should produce info about all certs Additional info:
Created attachment 1074001 [details] engine-ca_old-engine_old.log.gz Same issue - when CA cert is expired it does suppress info about engine cert expiration
For #1: Steps to Reproduce: 1. when CA cert already expired it suppresses info about already expired engine cert 2. wait and observe the log
Additional tests and failures: - soon expiring CA cert and soon expiring engine cert - already expired CA and soon expiring engine cert
ok, rhevm-backend-3.6.0.3-0.1.el6.noarch ad original steps: * ca cert is about to expire + engine cert already expired # date ; openssl x509 -in /etc/pki/ovirt-engine/certs/engine.cer -enddate \ -noout Tue Dec 1 00:41:22 CET 2015 notAfter=Nov 22 16:59:21 2015 GMT Dec 1, 2015 12:10:54 AM Engine's certification has expired at 2015-11-22. Please renew the engine's certification. # date ; openssl x509 -in /etc/pki/ovirt-engine/ca.pem -enddate -noout Tue Dec 1 00:41:59 CET 2015 notAfter=Dec 12 16:59:16 2015 GMT Dec 1, 2015 12:10:54 AM Engine's CA certification is about to expire at 2015-12-12. ad #1: * expired CA and expired engine cert - ca: # date ; openssl x509 -in /etc/pki/ovirt-engine/ca.pem -enddate -noout Tue Dec 1 00:01:16 CET 2015 notAfter=Nov 18 17:02:35 2015 GMT Engine's CA certification has expired at 2015-11-18. - engine: # date ; openssl x509 -in /etc/pki/ovirt-engine/certs/engine.cer -enddate \ -noout Tue Dec 1 00:12:38 CET 2015 notAfter=Nov 18 17:02:39 2015 GMT Engine's certification has expired at 2015-11-18. Please renew the engine's certification. ad #3: * already expired CA and soon expiring engine cert -ca: # date ; openssl x509 -in /etc/pki/ovirt-engine/ca.pem -enddate -noout Wed Nov 18 00:12:14 CET 2015 notAfter=Nov 16 16:46:23 2015 GMT Engine's CA certification has expired at 2015-11-16. - engine: # date ; openssl x509 -in /etc/pki/ovirt-engine/certs/engine.cer -enddate \ -noout Wed Nov 18 00:12:56 CET 2015 notAfter=Nov 19 16:46:27 2015 GMT Engine's certification is about to expire at 2015-11-19. Please renew the engine's certification. * soon expiring CA cert and soon expiring engine cert - ca: # date ; openssl x509 -in /etc/pki/ovirt-engine/ca.pem -enddate -noout Thu Nov 12 18:06:27 CET 2015 notAfter=Nov 18 17:02:35 2015 GMT - engine: # date ; openssl x509 -in /etc/pki/ovirt-engine/certs/engine.cer -enddate \ -noout Thu Nov 12 18:23:22 CET 2015 notAfter=Nov 18 17:02:39 2015 GMT Engine's certification is about to expire at 2015-11-18. Please renew the engine's certification.