2097725 – Certificate Warn period and automatic renewal via engine-setup do not match

Bug 2097725 - Certificate Warn period and automatic renewal via engine-setup do not match

Summary: Certificate Warn period and automatic renewal via engine-setup do not match

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine
Sub Component:
Version:	4.5.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	ovirt-4.5.2
Target Release:	---
Assignee:	Milan Zamazal
QA Contact:	Pavol Brilla
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2096862 (view as bug list)
Depends On:	2096862
Blocks:
TreeView+	depends on / blocked

Reported:	2022-06-16 12:10 UTC by Ulhas Surse
Modified:	2022-09-08 18:14 UTC (History)
CC List:	11 users (show)
Fixed In Version:	ovirt-engine-4.5.2
Doc Type:	Bug Fix
Doc Text:	Previously, the Manager issued warnings about approaching certificate expiration before engine-setup could update the certificates. In this release the expiration warning and certificate update periods are aligned, and certificates are updated as soon as the warnings about their upcoming expiration occur.
Clone Of:	2096862
Environment:
Last Closed:	2022-09-08 11:28:53 UTC
oVirt Team:	Infra
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	oVirt ovirt-engine pull 486	None	open	setup: Allow renewing certificates 365 days in advance	2022-06-22 19:06:56 UTC
Red Hat Issue Tracker	RHV-46445	None	None	None	2022-06-16 12:26:14 UTC
Red Hat Knowledge Base (Solution)	6963560	None	None	None	2022-06-21 09:54:53 UTC
Red Hat Product Errata	RHSA-2022:6393	None	None	None	2022-09-08 11:29:26 UTC

Description Ulhas Surse 2022-06-16 12:10:22 UTC

+++ This bug was initially created as a clone of Bug #2096862 +++

Description of problem:
Currently I am receiving warnings that my engine/apache certificates are about to expire. I would expect them to be renewed via engine-setup --offline but that does not happen.

I am not sure if the warn period of 365 days is a good idea though, that means the web certificates are almost always in warn period because they are only valid for 398 days.

Maybe we need a 2nd warn period for the short-lived certs of 60 days to fit the engine-setup renewal setting.


Version-Release number of selected component (if applicable):
ovirt-engine-setup-4.5.0.7-0.9.el8ev.noarch


How reproducible:
Have a cert that is about to expire (in my case in ~3 months). See that the engine is warning about the validity, but engine-setup does not create new certs (or resigns the old ones).

openssl x509 -dates -subject -issuer -noout -in /etc/pki/ovirt-engine/certs/apache.cer
notBefore=Aug 10 09:21:26 2021 GMT
notAfter=Sep 13 09:21:26 2022 GMT


openssl x509 -dates -subject -issuer -noout -in /etc/pki/ovirt-engine/certs/engine.cer
notBefore=Aug 10 09:19:39 2021 GMT
notAfter=Sep 13 09:19:39 2022 GMT


openssl x509 -dates -subject -issuer -noout -in /etc/pki/ovirt-engine/ca.pem
notBefore=Apr 22 19:11:59 2021 GMT
notAfter=Apr 21 19:11:59 2031 GMT


Steps to Reproduce:
1. have cert that is about to expire in ~90 days
2. see message in manager webui
3. run engine-setup --offline


Actual results:
Certs still about to expire in ~90 days

Expected results:
Certs will be renewed


Additional info:
I am guessing this is because of the values here:
CertExpirationWarnPeriodInDays (default: https://github.com/oVirt/ovirt-engine/blob/aae60b369fc1dc0213def1bfbf0ab247683ccc5c/packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql#L867 )

period before renewal 60 days hardcoded ( https://github.com/oVirt/ovirt-engine/blob/master/packaging/setup/ovirt_engine_setup/engine_common/pki_utils.py#L65 )

--- Additional comment from Klaas Demter on 2022-06-14 13:08:24 UTC ---

Could be related to the changes from https://bugzilla.redhat.com/show_bug.cgi?id=2079890

--- Additional comment from RHEL Program Management on 2022-06-16 08:41:48 UTC ---

The documentation text flag should only be set after 'doc text' field is provided. Please provide the documentation text and set the flag to '?' again.

Comment 4 Pavol Brilla 2022-08-10 19:46:45 UTC

Once I got message in engine about expirity ( >200 days ), engine-setup regenerated certs.


Version RHV 4.4 SP1 [ovirt-engine-4.5.2-0.3.el8ev]

Comment 8 errata-xmlrpc 2022-09-08 11:28:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: RHV Manager (ovirt-engine) [ovirt-4.5.2] bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:6393

Comment 9 Eli Marcus 2022-09-08 18:14:12 UTC

*** Bug 2096862 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.