[Train ONLY] Update local certmonger ca cert when ca cert has been renewed

Resues fix from "Always update the local certmonger ca cert" https://review.opendev.org/c/openstack/tripleo-heat-templates/+/785020 This fix would not work in wallby up as this was moved to tripleo-ansible. From review the code in tripleo-ansible, I am not sure how we would vaildate that the certificate was issued by the local certmonger CA. This is important as issuing certificates from local certmonger CA is only done on the undercloud. But the role is used for the both undercloud and overcloud. Closes-Bug: 1988244 Change-Id: I3dd3b9c0aa51ffa5b69a69d4bf113ae41eeffd81
2022-08-31 01:31:23 -04:00 · 2022-08-31 01:31:23 -04:00 · 2342e636b8
commit 2342e636b8
parent c57cfa931a
1 changed files with 6 additions and 0 deletions
--- a/files/certmonger-haproxy-refresh.sh
+++ b/files/certmonger-haproxy-refresh.sh
@ -21,6 +21,12 @@ ca_path=""

 if [ "$certmonger_ca" == "local" ]; then
    ca_path="/etc/pki/ca-trust/source/anchors/cm-local-ca.pem"
+    #check if CA is still valid and update if not
+    if ! openssl verify ${ca_path}; then
+    openssl pkcs12 -in /var/lib/certmonger/local/creds -out ${ca_path} -nokeys -nodes -passin pass:''
+    chmod 0644 ${ca_path}
+    update-ca-trust extract
+    fi
 elif [ "$certmonger_ca" == "IPA" ]; then
    ca_path="/etc/ipa/ca.crt"
 fi