2079835 – Separate validity length of Apache and internal certificates

Bug 2079835 - Separate validity length of Apache and internal certificates

Summary: Separate validity length of Apache and internal certificates

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	General
Sub Component:
Version:	---
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	ovirt-4.5.0-1
Target Release:	4.5.0.7
Assignee:	Milan Zamazal
QA Contact:	Petr Kubica
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-04-28 10:49 UTC by Michal Skrivanek
Modified:	2022-05-30 06:42 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ovirt-engine-4.5.0.7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-05-30 06:42:37 UTC
oVirt Team:	Infra
Embargoed:
Dependent Products:
Flags:	pm-rhel: ovirt-4.5? lsvaty: exception+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	oVirt ovirt-engine pull 324	None	open	Improve certificate renewal	2022-05-02 17:33:47 UTC
Github	oVirt ovirt-engine pull 329	None	open	certificates: Extend the lifetime of non-web Engine certificates	2022-05-04 17:40:47 UTC
Github	oVirt ovirt-engine pull 347	None	open	Backport CA and certificate fixes to 4.5.0.z	2022-05-09 13:40:22 UTC
Red Hat Issue Tracker	RHV-45882	None	None	None	2022-04-28 11:46:13 UTC

Description Michal Skrivanek 2022-04-28 10:49:21 UTC

Currently we issue all the certificates with the same validity period - 398 days since 4.4.3 (bug 1824103).
While all browsers now complain and don't allow longer ones, this doesn't apply to non-browser TLS communication.

Let's separate out the certificates that are used with Apache for web access (webadmin, VM portal, grafana, imageio-proxy for UI disk upload, websocket proxy for noVNC) from others that we use (vdsm<->engine, libvirt, qemu, OVN)

The internal ones are more difficult to renew - they're mostly on hosts, while Apache is just on the engine host. So let's issue them for longer period, 10 years (depending on bug 2079799, this would be half the lifetime of CA)

Comment 1 Michal Skrivanek 2022-05-02 13:23:42 UTC

(In reply to Michal Skrivanek from comment #0)
 So let's issue them for longer period, 10 years (depending on bug 2079799, this would be half the lifetime
> of CA)

or 5 years, the same as it was prior to 4.4.3

Comment 2 Milan Zamazal 2022-05-02 17:33:48 UTC

It seems the Engine and host certificates are already separated so all we need to do here is to increase the lifetime of the host certificates.

Comment 3 Petr Kubica 2022-05-23 23:49:52 UTC

verified in ovirt-engine-4.5.0.7-0.9.el8ev.noarch

internal certificates has 5 years validity and external ones - such apache or websocket proxy have 1 year

Note You need to log in before you can comment on or make changes to this bug.