setup: Allow renewing certificates during the warning period #486
Conversation
There was a problem hiding this comment.
I think we should allow to renew certificates from the same date as we start to raise warnings about their expiration:
So we should use the CertExpirationWarnPeriodInDays also in engine-setup. We have na existing infra to get vdc_options' vaue within engine_setup:
https://github.com/oVirt/ovirt-engine/blob/master/packaging/setup/ovirt_engine_setup/engine/vdcoption.py#L63
https://github.com/oVirt/ovirt-engine/blob/master/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/config/aaa.py#L193
So we should use this option also in https://github.com/oVirt/ovirt-engine/blob/master/packaging/setup/ovirt_engine_setup/engine_common/pki_utils.py#L65 for longer valid certificates instead of hardcoded value.
The default value of CertExpirationWarnPeriodInDays, which applies to CA, Engine and host certificates, is 365. However engine-setup offers (and allows) renewing the CA and Engine certificates only 60 days or less before their expiration. This results in warnings about certificate expiration presented to users, while the users cannot actually renew the certificates for more than 300 days. Let’s allow renewing CA and Engine certificate during the warning period or, if it cannot be obtained, up to 365 days before their expiration. Bug-Url: https://bugzilla.redhat.com/2093954 Bug-Url: https://bugzilla.redhat.com/2096862 Bug-Url: https://bugzilla.redhat.com/2097725
mz-pdm
changed the title
|
Thank you for the pointers to config values retrieval. CertExpirationWarnPeriodInDays is used now. It seems to be working, but it's difficult to check all the different scenarios so please review carefully. |
|
lgtm |
|
ping |
|
should we also change the default to something like half a year instead of the 365 days? Otherwise it will start warning 33 days after creating the engine cert |
|
also thinking about this: maybe we should set the warn period to half a year , but renew at warn period * 1.5 so that it gets renewed before it starts warning if you regularly update ovirt |
No, the Engine certificate (not the web one) has lifetime of 5 years now. |
|
ah okay, so the engine cert will go back to a longterm cert next time I run engine-setup after this patch has merged :) That's good -- thanks for the info |
|
Sorry for commenting only now, after it's merged. I think this will fail - meaning, fallback to 365 days and info - with dwh/grafana on a separate machine. |
|
I think it's fine. getting the config is basically a nice to have. - if it gracefully falls back. |
It did :-( : Fix is in oVirt/ovirt-dwh#48 , but does not work (didn't test, though) if grafana is on its own separate machine. |
Bug-Url: https://bugzilla.redhat.com/2093954
Bug-Url: https://bugzilla.redhat.com/2096862
Bug-Url: https://bugzilla.redhat.com/2097725