Upstream review located in openstack-tripleo-8.3.2. Updating fixed-in and moving bug to MODIFIED.
This item has been properly Triaged and planned for the OSP13 release, and is being tagged for tracking. For details, see https://url.corp.redhat.com/1851efd
So, certmonger should update the local CA certificate when at least one of these two things happen:
* when certmonger is restarted
* when a certificate is requested for that CA
so, the thing to verify would be that, when the certificate expires, you should restart certmonger, and then run the undercloud install again. That should update the trust of that certificate.
The execution doesn't happen in a shell. This should be put into a script (bash, python, whatever) in /usr/libexec/<something>/<something> and set that as the post command.
You can define arguments to be passed in when setting the post-callback command.
/usr/libexec/director/renew_cert /etc/pki/tls/certs/undercloud-front.crt /etc/pki/tls/private/undercloud-front.key /etc/pki/tls/certs/undercloud-192.168.24.2.pem
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.