Alon Bar-Lev has uploaded a new change for review.

Change subject: packaging: setup: pki: renew pki certificate if invalid
......................................................................

packaging: setup: pki: renew pki certificate if invalid

see bug for details.

Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1210486
Change-Id: I9ca57f8a9b4e97cfbb2bd4877adbc2a87e6348fc
Signed-off-by: Alon Bar-Lev <[email protected]>
---
M packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py
1 file changed, 39 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/18/39818/1

diff --git a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py 
b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py
index 83d64db..84641b4 100644
--- a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py
+++ b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py
@@ -89,6 +89,7 @@
     def __init__(self, context):
         super(Plugin, self).__init__(context=context)
         self._enabled = False
+        self._ca_was_renewed = False
 
     @plugin.event(
         stage=plugin.Stages.STAGE_BOOT,
@@ -160,6 +161,9 @@
                 oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT
             )
         ),
+        before=(
+            oenginecons.Stages.CA_AVAILABLE,
+        ),
     )
     def _miscUpgrade(self):
         self.logger.info(_('Upgrading CA'))
@@ -217,6 +221,34 @@
                             modifiedList=uninstall_files,
                         ),
                     )
+
+        #
+        # LEGACY NOTE
+        # Since 3.0 and maybe before the CA certificate's
+        # notBefore attribute was set using timezone offset
+        # instead of Z
+        # in this case we need to reissue CA certificate.
+        #
+        x509 = X509.load_cert(
+            oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT
+        )
+        if x509.get_not_before().get_datetime().tzname() is None:
+            self._ca_was_renewed = True
+            self.logger.info(_('Renewing CA'))
+            self.execute(
+                args=(
+                    oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_CREATE,
+                    '--renew',
+                    '--keystore-password=%s' % (
+                        self.environment[oenginecons.PKIEnv.STORE_PASS],
+                    ),
+                ),
+                envAppend={
+                    'JAVA_HOME': self.environment[
+                        oengcommcons.ConfigEnv.JAVA_HOME
+                    ],
+                },
+            )
 
     @plugin.event(
         stage=plugin.Stages.STAGE_MISC,
@@ -489,6 +521,13 @@
                 )[1:],
             )
         )
+        if self._ca_was_renewed:
+            self.logger.warning(
+                _(
+                    'Internal CA was renewed, please refresh manually '
+                    'distributed copies'
+                ),
+            )
 
 
 # vim: expandtab tabstop=4 shiftwidth=4


-- 
To view, visit https://gerrit.ovirt.org/39818
To unsubscribe, visit https://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I9ca57f8a9b4e97cfbb2bd4877adbc2a87e6348fc
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: ovirt-engine-3.5
Gerrit-Owner: Alon Bar-Lev <[email protected]>
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to