1572278 – After undercloud ssl certificate is updated, ca-trust is not updated automatically

Bug 1572278 - After undercloud ssl certificate is updated, ca-trust is not updated automatically

Summary: After undercloud ssl certificate is updated, ca-trust is not updated automati...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	puppet-tripleo
Sub Component:
Version:	10.0 (Newton)
Hardware:	Unspecified
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	beta
Target Release:	13.0 (Queens)
Assignee:	RHOS Maint
QA Contact:	Pavan
Docs Contact:
URL:
Whiteboard:
Depends On:	1547248 1595876
Blocks:	1572280 1572282
TreeView+	depends on / blocked

Reported:	2018-04-26 15:15 UTC by Harry Rybacki
Modified:	2021-12-10 16:16 UTC (History)
CC List:	15 users (show)
Fixed In Version:	puppet-tripleo-8.3.2-4.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1547248
Clones:	1572280 1595876 (view as bug list)
Environment:
Last Closed:	2018-06-27 13:53:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1753948	None	None	None	2018-04-26 15:15:53 UTC
OpenStack gerrit	553311	None	MERGED	Extract local CA if it expired	2020-09-24 14:23:25 UTC
Red Hat Issue Tracker	OSP-11395	None	None	None	2021-12-10 16:16:43 UTC
Red Hat Knowledge Base (Solution)	3357871	None	None	None	2018-04-26 15:15:53 UTC
Red Hat Product Errata	RHEA-2018:2086	None	None	None	2018-06-27 13:55:07 UTC

Comment 3 Harry Rybacki 2018-04-26 15:51:34 UTC

Upstream review located in openstack-tripleo-8.3.2. Updating fixed-in and moving bug to MODIFIED.

Comment 7 Scott Lewis 2018-04-30 14:59:49 UTC

This item has been properly Triaged and planned for the OSP13 release, and is being tagged for tracking. For details, see https://url.corp.redhat.com/1851efd

Comment 13 Juan Antonio Osorio 2018-06-25 16:25:29 UTC

So, certmonger should update the local CA certificate when at least one of these two things happen:

* when certmonger is restarted
* when a certificate is requested for that CA

so, the thing to verify would be that, when the certificate expires, you should restart certmonger, and then run the undercloud install again. That should update the trust of that certificate.

Comment 14 Rob Crittenden 2018-06-25 19:04:36 UTC

The execution doesn't happen in a shell. This should be put into a script (bash, python, whatever) in /usr/libexec/<something>/<something> and set that as the post command.

You can define arguments to be passed in when setting the post-callback command.

For example:

/usr/libexec/director/renew_cert /etc/pki/tls/certs/undercloud-front.crt  /etc/pki/tls/private/undercloud-front.key /etc/pki/tls/certs/undercloud-192.168.24.2.pem

Comment 16 errata-xmlrpc 2018-06-27 13:53:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086

Note You need to log in before you can comment on or make changes to this bug.