From 017ced4d978f472667fa2f34246381833857e7c4 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Mon, 5 Apr 2021 15:50:04 -0400 Subject: [PATCH] Always update the local certmonger ca cert The local certmonger cert will renew after half its lifetime, which will be after 6 months by default. The current code would extract the CA cert to a PEM file (and trust it), only if the cert in the existing PEM file was expired. But this means that the certmonger local cert could be renewed after six months and not be replaced in the PEM file until the existing cert expired at the end of the year. If certs are issued in this time, they will not be trusted and the update will fail. This patch removes this condition, so that the extracted and trusted cert always matches what is in the PEM file, and what is trusted. Note, this only place this occurs is on the undercloud - because this is where we could use the certmonger local cert. We assume that the haproxy cert will be re-issued in an update. Change-Id: If804dc369c5883eeb51f7e6dcd01ee0e5967c7cf --- manifests/certmonger/ca/local.pp | 1 - spec/classes/tripleo_certmonger_ca_local_spec.rb | 4 +--- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/manifests/certmonger/ca/local.pp b/manifests/certmonger/ca/local.pp index 21858d155..7b89ab916 100644 --- a/manifests/certmonger/ca/local.pp +++ b/manifests/certmonger/ca/local.pp @@ -37,7 +37,6 @@ class tripleo::certmonger::ca::local( exec { 'extract-and-trust-ca': command => "${extract_cmd} && ${trust_ca_cmd}", path => '/usr/bin', - unless => "test -e ${ca_pem} && openssl x509 -checkend 0 -noout -in ${ca_pem}", tries => 5, try_sleep => 1, notify => File[$ca_pem] diff --git a/spec/classes/tripleo_certmonger_ca_local_spec.rb b/spec/classes/tripleo_certmonger_ca_local_spec.rb index b8f0781ea..03d1516e9 100644 --- a/spec/classes/tripleo_certmonger_ca_local_spec.rb +++ b/spec/classes/tripleo_certmonger_ca_local_spec.rb @@ -33,9 +33,7 @@ describe 'tripleo::certmonger::ca::local' do end it 'should extract CA cert' do - is_expected.to contain_exec('extract-and-trust-ca').with( - :unless => "test -e #{params[:ca_pem]} && openssl x509 -checkend 0 -noout -in #{params[:ca_pem]}", - ) + is_expected.to contain_exec('extract-and-trust-ca') end it 'set the correct permissions for the CA certificate file' do