Alon Bar-Lev has uploaded a new change for review. Change subject: packaging: setup: pki: renew pki certificate if invalid ......................................................................
packaging: setup: pki: renew pki certificate if invalid see bug for details. Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1210486 Change-Id: I9ca57f8a9b4e97cfbb2bd4877adbc2a87e6348fc Signed-off-by: Alon Bar-Lev <[email protected]> --- M packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py 1 file changed, 39 insertions(+), 0 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/18/39818/1 diff --git a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py index 83d64db..84641b4 100644 --- a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py +++ b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py @@ -89,6 +89,7 @@ def __init__(self, context): super(Plugin, self).__init__(context=context) self._enabled = False + self._ca_was_renewed = False @plugin.event( stage=plugin.Stages.STAGE_BOOT, @@ -160,6 +161,9 @@ oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT ) ), + before=( + oenginecons.Stages.CA_AVAILABLE, + ), ) def _miscUpgrade(self): self.logger.info(_('Upgrading CA')) @@ -217,6 +221,34 @@ modifiedList=uninstall_files, ), ) + + # + # LEGACY NOTE + # Since 3.0 and maybe before the CA certificate's + # notBefore attribute was set using timezone offset + # instead of Z + # in this case we need to reissue CA certificate. + # + x509 = X509.load_cert( + oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT + ) + if x509.get_not_before().get_datetime().tzname() is None: + self._ca_was_renewed = True + self.logger.info(_('Renewing CA')) + self.execute( + args=( + oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CREATE, + '--renew', + '--keystore-password=%s' % ( + self.environment[oenginecons.PKIEnv.STORE_PASS], + ), + ), + envAppend={ + 'JAVA_HOME': self.environment[ + oengcommcons.ConfigEnv.JAVA_HOME + ], + }, + ) @plugin.event( stage=plugin.Stages.STAGE_MISC, @@ -489,6 +521,13 @@ )[1:], ) ) + if self._ca_was_renewed: + self.logger.warning( + _( + 'Internal CA was renewed, please refresh manually ' + 'distributed copies' + ), + ) # vim: expandtab tabstop=4 shiftwidth=4 -- To view, visit https://gerrit.ovirt.org/39818 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I9ca57f8a9b4e97cfbb2bd4877adbc2a87e6348fc Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: ovirt-engine-3.5 Gerrit-Owner: Alon Bar-Lev <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
