Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1688184

Summary: Users should be notified about PKI expiry
Product: [oVirt] ovirt-engine Reporter: Yedidyah Bar David <didi>
Component: PKIAssignee: Martin Perina <mperina>
Status: CLOSED DEFERRED QA Contact: Lukas Svaty <lsvaty>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.3.1CC: bugs, mperina
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-01 14:48:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yedidyah Bar David 2019-03-13 10:46:51 UTC 
Description of problem:

$subject.

See also: bug 1210486, bug 1214860, bug 1450293, bug 1648190, and more recently bug 1686445.

We should somehow make sure users are notified not only by engine-setup, which is normally ran only for upgrades. Perhaps the engine itself should check and notify using the existing notification mechanisms, or perhaps some external cron job should, or something like that.

It might make sense to refactor the existing engine-setup code to be usable standalone for this.
Comment 1 Sandro Bonazzola 2019-03-20 08:38:38 UTC 
I think best place would be the engine showing a warning when PKI is near to expire.
Comment 2 Martin Perina 2019-03-29 10:51:04 UTC 
Engine is periodically (each day by default) checking of following certificates [1]:

1. Engine CA
2. Engine
3. Hosts which are Up or NonOperational

When any of those certificates are going to be expired we emit following messages into audit_log:

1. If certificate will expire in less than 30 days, we raise WARNING message into audit log
2. If certificate will expire in less than 7 days, we raise ALERT message into audit log
3. If certificate is expired, we raise ALERT message into audit log

We cannot do much about hosts which engine cannot communicate with, because hosts certificates are not stored on engine, but I see only 2 usecases here:

1. Hosts are temporarily unavailable (for example Installing, Connecting, NonResponsive, Kdumping, Reboot, ...), so they should be checked during next day(s)
2. Maintenance - administrators should be aware of hosts in maintenance (especially those which are going to stay in Maintenance for longer than 30 days), so they can execute Enroll Certificate to hosts in maintenance before activating them


So is there anything important missing?


[1] https://github.com/oVirt/ovirt-engine/blob/master/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CertificationValidityChecker.java#L65
Comment 3 Yedidyah Bar David 2019-03-31 08:58:46 UTC 
(In reply to Martin Perina from comment #2)
> Engine is periodically (each day by default) checking of following
> certificates [1]:
> 
> 1. Engine CA
> 2. Engine
> 3. Hosts which are Up or NonOperational
> 
> When any of those certificates are going to be expired we emit following
> messages into audit_log:
> 
> 1. If certificate will expire in less than 30 days, we raise WARNING message
> into audit log
> 2. If certificate will expire in less than 7 days, we raise ALERT message
> into audit log
> 3. If certificate is expired, we raise ALERT message into audit log

All of this seems reasonable, and I'd close notabug, other than one thing.
engine-setup notifies and prompts under somewhat different conditions:
1. It checks more certs, and prompts if at least one requires action. These are: CA, engine, jboss (used for direct https access to it), websocket-proxy, apache, imageio-proxy.
2. It prompts if it expires in the next 365 days (much more than 30)
3. It prompts if it has no SAN (SubjectAlternativeName) extension (bug 1449084)
4. It prompts if the expires-not-before timestamp has no timezone (bug 1210486)

What do you think? Should we unify the tests? Not sure we must, but it might make sense. At least deciding on a single number of days is very easy (code-wise, not sure about docs/process) and makes sense...

The actual code testing this is in the file packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py , in the functions _expired and _ok_to_renew_cert .
Comment 4 Michal Skrivanek 2020-03-18 15:47:17 UTC 
This bug didn't get any attention for a while, we didn't have the capacity to make any progress. If you deeply care about it or want to work on it please assign/target accordingly
Comment 5 Michal Skrivanek 2020-03-18 15:52:01 UTC 
This bug didn't get any attention for a while, we didn't have the capacity to make any progress. If you deeply care about it or want to work on it please assign/target accordingly
Comment 6 Michal Skrivanek 2020-04-01 14:48:14 UTC 
ok, closing. Please reopen if still relevant/you want to work on it.
Comment 7 Michal Skrivanek 2020-04-01 14:51:28 UTC 
ok, closing. Please reopen if still relevant/you want to work on it.