sureshanaparti opened a new issue #4129: URL: https://github.com/apache/cloudstack/issues/4129
### Description <!-- Verify first that your issue/request is not already reported on GitHub. Also test if the latest release and master branch are affected too. Always add information AFTER of these HTML comments, but no need to delete the comments. --> Agent disconnection event is purging the certificates from the active certificates map, being maintained by the management server in memory. Re-provisioning of the certificate also triggers agent disconnect, which will result the same. As the active certificates map doesn't hold any certificate details for the host, certificate authority framework will fail to auto renew the host's certificate after the expiry alert period configured using the setting _ca.framework.cert.expiry.alert.period_ ##### ISSUE TYPE <!-- Pick one below and delete the rest --> * Bug Report ##### COMPONENT NAME <!-- Categorize the issue, e.g. API, VR, VPN, UI, etc. --> ~~~ CA Manager ~~~ ##### CLOUDSTACK VERSION <!-- New line separated list of affected versions, commit ID for issues on master branch. --> ~~~ master ~~~ ##### CONFIGURATION <!-- Information about the configuration if relevant, e.g. basic network, advanced networking, etc. N/A otherwise --> MS, using Securing Agents Communication ##### OS / ENVIRONMENT <!-- Information about the environment if relevant, N/A otherwise --> ##### SUMMARY <!-- Explain the problem/feature briefly --> The certificates details of the host are removed from the active certificates map maintained by the management server when agent is disconnected. The certificate re-provisioning of host would also trigger agent disconnect, which will delete the certificate for the host. As the active certificates map doesn't hold any certificate details for the host, certificate authority framework will fail to auto renew the host's certificate after the expiry alert period configured using the setting _ca.framework.cert.expiry.alert.period_ ##### STEPS TO REPRODUCE <!-- For bugs, show exactly how to reproduce the problem, using a minimal test-case. Use Screenshots if accurate. For new features, show how the feature would be used. --> 1) Configure the CA config parameters and restart MS. - Enable auto certificate renewal by setting the global/cluster config parameter to "_ca.framework.cert.automatic.renewal_" to true. (Set minimal possible values for validity period and expiry alert period.) - Set validity period using config parameter "_ca.framework.cert.validity.period_" to 2 days, at global level. - Set the expiry alert period using config parameter "_ca.framework.cert.expiry.alert.period_" to 1 day, at global/respective cluster level. 2) Provision host security keys (or Disconnect the agent) Enable debug logs and the below logs are not observed after expiry alert period. Also, no alerts on certificate expiry. <!-- Paste example playbooks or commands between quotes below --> ~~~ WARN [o.a.c.c.CAManagerImpl] (BackgroundTaskPollManager-3:ctx-3cb4c14f) (logid:7054c362) Certificate is going to expire for host id=7, uuid=bf42788e-aa8a-435e-ad87-6b2dfcc2fd59, name=testkvm1, ip=1.2.3.4, zone id=5 DEBUG [o.a.c.c.CAManagerImpl] (BackgroundTaskPollManager-3:ctx-3cb4c14f) (logid:7054c362) Attempting certificate auto-renewal for host id=7, uuid=bf42788e-aa8a-435e-ad87-6b2dfcc2fd59, name=testkvm1, ip=1.2.3.4, zone id=5 DEBUG [o.a.c.c.CAManagerImpl] (BackgroundTaskPollManager-3:ctx-3cb4c14f) (logid:7054c362) Succeeded in auto-renewing certificate for host id=7, uuid=bf42788e-aa8a-435e-ad87-6b2dfcc2fd59, name=testkvm1, ip=1.2.3.4, zone id=5 ~~~ <!-- You can also paste gist.github.com links for larger files --> ##### EXPECTED RESULTS <!-- What did you expect to happen when running the steps above? --> ~~~ MS should auto renew the certificates after expiry alert period when enabled ~~~ ##### ACTUAL RESULTS <!-- What actually happened? --> <!-- Paste verbatim command output between quotes below --> ~~~ MS fails to renew the certificates after expiry alert period ~~~ ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org