Created attachment 1887138 [details] Event view of alert Description of problem: oVirt engine issues warnings that the engine certificate is going to expire but certificate renewal is not offered when executing 'engine-setup --offline' Version-Release number of selected component (if applicable): How reproducible: Currently always Steps to Reproduce: 1. Receive alert in oVirt console that certificate is due to expire 2. execute 'engine-setup --offline' on engine host 3. Actual results: engine-setup --offline does not offer certificate renewal Expected results: engine-setup --offline offers certificate renewal Additional info: Align certificate alert/warning period with engine-setup certificate renewal prompt
it should behave per bug 2079890 can you please confirm ovirt-engine rpm version. we'll probably need "openssl x509 -enddate -noout -in XXX" of (probably all) certificates in /etc/pki/ovirt-engine/certs/
The documentation text flag should only be set after 'doc text' field is provided. Please provide the documentation text and set the flag to '?' again.
Inside the referred bug 2079890 there is not a clear statement about engine certificates. There is the term "about to expire" that is somehow vague. Also, here we are complaining that apparently the warning timeout notified inside Administration Portal and what proposed by "engine-setup --offline" seem to be not in sync. Is it possible to know the values stored in the code (and/or in config parameters) for both of them, in 4.4 and latest 4.5?
(In reply to Michal Skrivanek from comment #1) > it should behave per bug 2079890 > can you please confirm ovirt-engine rpm version. we'll probably need > "openssl x509 -enddate -noout -in XXX" of (probably all) certificates in > /etc/pki/ovirt-engine/certs/ Looking at bug 2079890, your comment states that 'Certificates will be renewed' 60 days in advance during engine-setup for engine certs and CA My issue with the current implementation / configuration of the alerts in oVirt Web UI are issuing a warning approximately 190 days before the certificates are dues to expire. If I'm seeing these every day for 3 months I'll be ignoring them by the time certificates really need renewing. The obvious thing to do is to either only issue the alert 60 days before they're due to expire and can be updated using engine setup or allow engine setup to renew, or at least offer the option to renew the certificates 190 days before they expire. In either case the alerts seen the Web UI will align with a remedial action available by running engine-setup
engine-setup doesn't allow to regenerate certificates, which are going to expire, earlier than 60 days before certificate expiration: https://github.com/oVirt/ovirt-engine/blob/master/packaging/setup/ovirt_engine_setup/engine_common/pki_utils.py#L65 But we are starting to raise warnings about certificate expiration 365 days before actual expiration date: https://github.com/oVirt/ovirt-engine/blob/master/packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql#L867 So even though this issue is related only to engine certificate and engine CA certifcate, we should allow to regenerate certifcates in engine-setup at the same time as expiration warnings are raised
*** This bug has been marked as a duplicate of bug 2096862 ***