From a65df66fb66240bb292a8d0124465fa80034d1fe Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Tue, 6 Apr 2021 13:51:41 -0400
Subject: [PATCH] Always update the local certmonger ca cert

The local certmonger cert will renew after half its lifetime, which will
be after 6 months by default.  The current code would extract the CA cert
to a PEM file (and trust it), only if the cert in the existing PEM file
was expired.

But this means that the certmonger local cert could be renewed after six
months and not be replaced in the PEM file until the existing cert
expired at the end of the year.  If certs are issued in this time, they
will not be trusted and the update will fail.

This patch removes this condition, so that the extracted and trusted cert
always matches what is in the PEM file, and what is trusted.

Note, this only place this occurs is on the undercloud - because this is
where we could use the certmonger local cert.  We assume that the haproxy
cert will be re-issued in an update.

This change has been added to puppet-tripleo for master and all previous
releases, but in master now, we do this directly in tht as we use
ansible to get the system certs.

Change-Id: Ia0ad0ac6d7a09858b56dcb419a3bec17b63779a4
---
 deployment/haproxy/haproxy-public-tls-certmonger.yaml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/deployment/haproxy/haproxy-public-tls-certmonger.yaml b/deployment/haproxy/haproxy-public-tls-certmonger.yaml
index 735fd2b9a1..9b3f45855b 100644
--- a/deployment/haproxy/haproxy-public-tls-certmonger.yaml
+++ b/deployment/haproxy/haproxy-public-tls-certmonger.yaml
@@ -95,11 +95,9 @@ outputs:
               shell: |
                 set -e
                 ca_pem='/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
-                if ! { test -e ${ca_pem} && openssl x509 -checkend 0 -noout -in ${ca_pem}; }; then
-                    openssl pkcs12 -in /var/lib/certmonger/local/creds -out ${ca_pem} -nokeys -nodes -passin pass:''
-                    chmod 0644 ${ca_pem}
-                    update-ca-trust extract
-                fi
+                openssl pkcs12 -in /var/lib/certmonger/local/creds -out ${ca_pem} -nokeys -nodes -passin pass:''
+                chmod 0644 ${ca_pem}
+                update-ca-trust extract
                 test -e ${ca_pem} && openssl x509 -checkend 0 -noout -in ${ca_pem}
               retries: 5
               delay: 1