tripleo

local CA is not updated if the cert expires

Bug #1753948 reported by Juan Antonio Osorio Robles
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Juan Antonio Osorio Robles
tripleo rocky-1

Bug Description

When certificate autogeneration is used, the local CA is not updated if the certificate has expired. This results in the undercloud's SSL breaking and creates the need for the user to do manual steps to regenerate the CA certificate, which is not ideal.

Juan Antonio Osorio Robles (juan-osorio-robles)
Changed in tripleo:
status: New → Confirmed
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
milestone: none → rocky-1
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/550403

Changed in tripleo:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/550403
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=a4ae09d169396f63b1952570b2105d695753fa9d
Submitter: Zuul
Branch: master

commit a4ae09d169396f63b1952570b2105d695753fa9d
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Wed Mar 7 10:57:37 2018 +0200

    Extract local CA if it expired

    This adds a conditional that extracts certmonger's local CA if the
    certificate doesn't exist or if it has expired already. This adds the
    ability for the deployer to fix the undercloud installation with the
    undercloud install command itself if expiration of the CA cert happens.

    Change-Id: I61577be2434d7321dd462902d386c6911c2c4f57
    Closes-Bug: #1753948

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/553311

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/queens)

Reviewed: https://review.openstack.org/553311
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=61deef779b38c5e32f4a9d863f1c818042541c44
Submitter: Zuul
Branch: stable/queens

commit 61deef779b38c5e32f4a9d863f1c818042541c44
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Wed Mar 7 10:57:37 2018 +0200

    Extract local CA if it expired

    This adds a conditional that extracts certmonger's local CA if the
    certificate doesn't exist or if it has expired already. This adds the
    ability for the deployer to fix the undercloud installation with the
    undercloud install command itself if expiration of the CA cert happens.

    Change-Id: I61577be2434d7321dd462902d386c6911c2c4f57
    Closes-Bug: #1753948
    (cherry picked from commit a4ae09d169396f63b1952570b2105d695753fa9d)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/554172

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/pike)

Reviewed: https://review.openstack.org/554172
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=ebfdb8a28c032754d547154f882bd53534a2ccf6
Submitter: Zuul
Branch: stable/pike

commit ebfdb8a28c032754d547154f882bd53534a2ccf6
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Wed Mar 7 10:57:37 2018 +0200

    Extract local CA if it expired

    This adds a conditional that extracts certmonger's local CA if the
    certificate doesn't exist or if it has expired already. This adds the
    ability for the deployer to fix the undercloud installation with the
    undercloud install command itself if expiration of the CA cert happens.

    Change-Id: I61577be2434d7321dd462902d386c6911c2c4f57
    Closes-Bug: #1753948
    (cherry picked from commit a4ae09d169396f63b1952570b2105d695753fa9d)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/554421

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/554423

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/ocata)

Reviewed: https://review.openstack.org/554423
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=fef73cca5c3618b45ce7fc2d063081912e158ba3
Submitter: Zuul
Branch: stable/ocata

commit fef73cca5c3618b45ce7fc2d063081912e158ba3
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Wed Mar 7 10:57:37 2018 +0200

    Extract local CA if it expired

    This adds a conditional that extracts certmonger's local CA if the
    certificate doesn't exist or if it has expired already. This adds the
    ability for the deployer to fix the undercloud installation with the
    undercloud install command itself if expiration of the CA cert happens.

    Conflicts:
          spec/classes/tripleo_certmonger_ca_local_spec.rb

    Specs test file didn't exist in this branch, so I removed it.

    Change-Id: I61577be2434d7321dd462902d386c6911c2c4f57
    Closes-Bug: #1753948
    (cherry picked from commit a4ae09d169396f63b1952570b2105d695753fa9d)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/newton)

Reviewed: https://review.openstack.org/554421
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=712df442f3b8ddeae4531ef7e3a4293613ae9294
Submitter: Zuul
Branch: stable/newton

commit 712df442f3b8ddeae4531ef7e3a4293613ae9294
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Wed Mar 7 10:57:37 2018 +0200

    Extract local CA if it expired

    This adds a conditional that extracts certmonger's local CA if the
    certificate doesn't exist or if it has expired already. This adds the
    ability for the deployer to fix the undercloud installation with the
    undercloud install command itself if expiration of the CA cert happens.

    Conflicts:
        spec/classes/tripleo_certmonger_ca_local_spec.rb

    The file above didn't exist in stable/newton

    Change-Id: I61577be2434d7321dd462902d386c6911c2c4f57
    Closes-Bug: #1753948
    (cherry picked from commit a4ae09d169396f63b1952570b2105d695753fa9d)

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 7.4.11

This issue was fixed in the openstack/puppet-tripleo 7.4.11 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 6.5.11

This issue was fixed in the openstack/puppet-tripleo 6.5.11 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 5.6.9

This issue was fixed in the openstack/puppet-tripleo 5.6.9 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 8.3.1

This issue was fixed in the openstack/puppet-tripleo 8.3.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 9.0.0

This issue was fixed in the openstack/puppet-tripleo 9.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.