Bug 1683281 - Hosts cert reenrolment in upgrade should be executed sooner than certs are expired
Summary: Hosts cert reenrolment in upgrade should be executed sooner than certs are ex...
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Host-Deploy
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ovirt-4.3.4
: 4.3.4
Assignee: Ori Liel
QA Contact: Petr Matyáš
Depends On: 1649285
TreeView+ depends on / blocked
Reported: 2019-02-26 13:59 UTC by Petr Matyáš
Modified: 2019-06-11 06:24 UTC (History)
4 users (show)

Fixed In Version: ovirt-engine-4.3.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-11 06:24:01 UTC
oVirt Team: Infra
pm-rhel: ovirt-4.3+
lleistne: testing_ack+

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
oVirt gerrit 99012 0 master MERGED Host Certificate Reenrollment Done Too Late 2019-04-11 11:49:12 UTC
oVirt gerrit 99450 0 ovirt-engine-4.3 MERGED Host Certificate Reenrollment Done Too Late 2019-04-23 11:04:21 UTC

Description Petr Matyáš 2019-02-26 13:59:18 UTC
Description of problem:
Now that we have certificate reenrolment in upgrade it would be much more useful to have it executed like a month before expiration and not when the cert is already expired.
There already is a notification for engine certificate expiration month before and engine certs are suggested to be reenrolled during engine setup month before expiration.

With current implementation when host certificate expires, the host is marked as unassigned and it is not possible (without changes to DB) to upgrade/reenroll certificates so if this would be executed during upgrade sooner it might mitigate some issues.

Version-Release number of selected component (if applicable):

Comment 1 Martin Perina 2019-03-05 13:43:45 UTC
We could use "-attime timestamp" parameter of "openssl verify" and set it to current timestamp + ConfigValue.CertExpirationAlertPeriodInDays, (by default 7 days), meaning that if certification will expire in 7 or less days, we will renew it

Comment 2 Petr Matyáš 2019-05-22 10:38:17 UTC
Verified on ovirt-engine-4.3.4-0.1.el7.noarch

Comment 3 Sandro Bonazzola 2019-06-11 06:24:01 UTC
This bugzilla is included in oVirt 4.3.4 release, published on June 11th 2019.

Since the problem described in this bug report should be
resolved in oVirt 4.3.4 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.