keep and reuse ssl certificate

Currently when https is disabled, the installed ssl certificate is removed from the system. The default self signed certificate is installed again once https is enabled. This change enhanced ssl certificate handling in that: - The very first time https is enabled, the default self signed certificate is installed not only in fs but also in sysinv. - When https is disabled, installed ssl/tpm certificate is no longer deleted. - When https is enabled, the existing ssl/tpm certificate will be used if there is one installed. Otherwise the default self signed certificate will be installed (this is the case that https is enabled for the very first time). Change-Id: Iaef7b4acc4badaab617c05dcbd6654ea3d1e126a Closes-Bug: 1908437 Signed-off-by: Andy Ning <andy.ning@windriver.com>
2020-12-15 13:31:39 -05:00
parent 9331c8fcb5
commit 41b5fa0b50
2 changed files with 39 additions and 31 deletions
--- a/sysinv/cgts-client/cgts-client/cgtsclient/v1/isystem_shell.py
+++ b/sysinv/cgts-client/cgts-client/cgtsclient/v1/isystem_shell.py
@@ -152,6 +152,20 @@ def do_modify(cc, args):
        if k == "https_enabled" and v == "true":
            print_https_warning = True

+    # If there is an existing ssl or tpm certificate in system, it will
+    # be used instead of installing the default self signed certificate.
+    if print_https_warning:
+        certificates = cc.certificate.list()
+        for certificate in certificates:
+            if certificate.certtype in ['ssl', 'tpm_mode']:
+                warning = ("Existing certificate %s is used for https."
+                           % certificate.uuid)
+                break
+        else:
+            warning = "HTTPS enabled with a self-signed certificate.\nThis " \
+                      "should be changed to a CA-signed certificate with " \
+                      "'system certificate-install'. "
+
    try:
        isystem = cc.isystem.update(isystem.uuid, patch)
    except exc.HTTPNotFound:
@@ -159,5 +173,4 @@ def do_modify(cc, args):
    _print_isystem_show(isystem)

    if print_https_warning:
-        print("HTTPS enabled with a self-signed certificate.\nThis should be "
-              "changed to a CA-signed certificate with 'system certificate-install'. ")
+        print(warning)