Always update the local certmonger ca cert

The local certmonger cert will renew after half its lifetime, which will be after 6 months by default. The current code would extract the CA cert to a PEM file (and trust it), only if the cert in the existing PEM file was expired. But this means that the certmonger local cert could be renewed after six months and not be replaced in the PEM file until the existing cert expired at the end of the year. If certs are issued in this time, they will not be trusted and the update will fail. This patch removes this condition, so that the extracted and trusted cert always matches what is in the PEM file, and what is trusted. Note, this only place this occurs is on the undercloud - because this is where we could use the certmonger local cert. We assume that the haproxy cert will be re-issued in an update. This change has been added to puppet-tripleo for master and all previous releases, but in master now, we do this directly in tht as we use ansible to get the system certs. Change-Id: Ia0ad0ac6d7a09858b56dcb419a3bec17b63779a4
2021-04-06 13:51:41 -04:00 · 2021-04-06 13:51:41 -04:00 · a65df66fb6
parent 5ed1b12242
commit a65df66fb6
1 changed files with 3 additions and 5 deletions
--- a/deployment/haproxy/haproxy-public-tls-certmonger.yaml
+++ b/deployment/haproxy/haproxy-public-tls-certmonger.yaml
@ -95,11 +95,9 @@ outputs:
              shell: |
                set -e
                ca_pem='/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
-                if ! { test -e ${ca_pem} && openssl x509 -checkend 0 -noout -in ${ca_pem}; }; then
                openssl pkcs12 -in /var/lib/certmonger/local/creds -out ${ca_pem} -nokeys -nodes -passin pass:''
                chmod 0644 ${ca_pem}
                update-ca-trust extract
-                fi
                test -e ${ca_pem} && openssl x509 -checkend 0 -noout -in ${ca_pem}
              retries: 5
              delay: 1