From 2342e636b8f53fa435e8988f636b61972c53ed16 Mon Sep 17 00:00:00 2001
From: David Sedgmen <dsedgmen@redhat.com>
Date: Wed, 31 Aug 2022 01:31:23 -0400
Subject: [PATCH] [Train ONLY] Update local certmonger ca cert when ca cert has
 been renewed Resues fix from "Always update the local certmonger ca cert"
 https://review.opendev.org/c/openstack/tripleo-heat-templates/+/785020

This fix would not work in wallby up as this was moved
to tripleo-ansible.
From review the code in tripleo-ansible, I am not sure how we would vaildate that the
certificate was issued by the local certmonger CA.
This is important as issuing certificates from local certmonger CA is only done on the
undercloud.
But the role is used for the both undercloud and overcloud.

Closes-Bug: 1988244
Change-Id: I3dd3b9c0aa51ffa5b69a69d4bf113ae41eeffd81
---
 files/certmonger-haproxy-refresh.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/files/certmonger-haproxy-refresh.sh b/files/certmonger-haproxy-refresh.sh
index 02b4a50cc..09ad220ab 100644
--- a/files/certmonger-haproxy-refresh.sh
+++ b/files/certmonger-haproxy-refresh.sh
@@ -21,6 +21,12 @@ ca_path=""
 
 if [ "$certmonger_ca" == "local" ]; then
     ca_path="/etc/pki/ca-trust/source/anchors/cm-local-ca.pem"
+    #check if CA is still valid and update if not
+    if ! openssl verify ${ca_path}; then
+    openssl pkcs12 -in /var/lib/certmonger/local/creds -out ${ca_path} -nokeys -nodes -passin pass:''
+    chmod 0644 ${ca_path}
+    update-ca-trust extract
+    fi
 elif [ "$certmonger_ca" == "IPA" ]; then
     ca_path="/etc/ipa/ca.crt"
 fi