Description of problem: Currently I am receiving warnings that my engine/apache certificates are about to expire. I would expect them to be renewed via engine-setup --offline but that does not happen. I am not sure if the warn period of 365 days is a good idea though, that means the web certificates are almost always in warn period because they are only valid for 398 days. Maybe we need a 2nd warn period for the short-lived certs of 60 days to fit the engine-setup renewal setting. Version-Release number of selected component (if applicable): ovirt-engine-setup-4.5.0.7-0.9.el8ev.noarch How reproducible: Have a cert that is about to expire (in my case in ~3 months). See that the engine is warning about the validity, but engine-setup does not create new certs (or resigns the old ones). openssl x509 -dates -subject -issuer -noout -in /etc/pki/ovirt-engine/certs/apache.cer notBefore=Aug 10 09:21:26 2021 GMT notAfter=Sep 13 09:21:26 2022 GMT openssl x509 -dates -subject -issuer -noout -in /etc/pki/ovirt-engine/certs/engine.cer notBefore=Aug 10 09:19:39 2021 GMT notAfter=Sep 13 09:19:39 2022 GMT openssl x509 -dates -subject -issuer -noout -in /etc/pki/ovirt-engine/ca.pem notBefore=Apr 22 19:11:59 2021 GMT notAfter=Apr 21 19:11:59 2031 GMT Steps to Reproduce: 1. have cert that is about to expire in ~90 days 2. see message in manager webui 3. run engine-setup --offline Actual results: Certs still about to expire in ~90 days Expected results: Certs will be renewed Additional info: I am guessing this is because of the values here: CertExpirationWarnPeriodInDays (default: https://github.com/oVirt/ovirt-engine/blob/aae60b369fc1dc0213def1bfbf0ab247683ccc5c/packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql#L867 ) period before renewal 60 days hardcoded ( https://github.com/oVirt/ovirt-engine/blob/master/packaging/setup/ovirt_engine_setup/engine_common/pki_utils.py#L65 )
Could be related to the changes from https://bugzilla.redhat.com/show_bug.cgi?id=2079890
The documentation text flag should only be set after 'doc text' field is provided. Please provide the documentation text and set the flag to '?' again.
> I am not sure if the warn period of 365 days is a good idea though, that means the web certificates are almost always in warn period because they are only valid for 398 days. I think the 365 days warning period applies only to the CA, Engine (the non-web one) and host certificates. Do you get so early warnings for other certificates?
(In reply to Milan Zamazal from comment #4) > > I am not sure if the warn period of 365 days is a good idea though, that means the web certificates are almost always in warn period because they are only valid for 398 days. > > I think the 365 days warning period applies only to the CA, Engine (the > non-web one) and host certificates. Do you get so early warnings for other > certificates? I think you are right about it only warning about the engine cert, not the apache cert. But they are both short lived: openssl x509 -dates -subject -issuer -noout -in /etc/pki/ovirt-engine/certs/apache.cer notBefore=Aug 10 09:21:26 2021 GMT notAfter=Sep 13 09:21:26 2022 GMT openssl x509 -dates -subject -issuer -noout -in /etc/pki/ovirt-engine/certs/engine.cer notBefore=Aug 10 09:19:39 2021 GMT notAfter=Sep 13 09:19:39 2022 GMT I just assumed it was talking about both of them because they have the same enddate :) But the warning states "Engine's certification is about to expire at 2022-09-13. Please renew the engine's certification." but basically I'd say as a customer I would want the following outcome: a) Do not warn about the certs until I should react, so a couple of months should be fine for all of them; 365 days is definitely too long for a cert that has a lifespan of 398 days b) I want warnings about all relevant certs, including the apache one c) as soon as you're getting warnings about them a engine-setup should renew those certs
> But they are both short lived: The life of the Engine certificate was extended to 5 years in 4.5.1. Once you renew it, you shouldn't be bothered by its next renewal for 4 years. > but basically I'd say as a customer I would want the following outcome: > a) Do not warn about the certs until I should react, so a couple of months should be fine for all of them; 365 days is definitely too long for a cert that has a lifespan of 398 days This should be satisfied in 4.5.1. > b) I want warnings about all relevant certs, including the apache one Would you like to file a separate bug about this? While it is related, it is a different issue that would be easier to handle separately. > c) as soon as you're getting warnings about them a engine-setup should renew those certs This should be fixed by the proposed patch here. Although only if the default warning period is not changed; but with the changed lifespans in 4.5.1, there should be usually no reason to change it.
*** Bug 2093954 has been marked as a duplicate of this bug. ***
Once I got message in engine about expirity ( >200 days ), engine-setup regenerated certs. Version RHV 4.4 SP1 [ovirt-engine-4.5.2-0.3.el8ev]
This bugzilla is included in oVirt 4.5.2 release, published on August 10th 2022. Since the problem described in this bug report should be resolved in oVirt 4.5.2 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.
*** This bug has been marked as a duplicate of bug 2097725 ***