subcloud admin-ep-cert.pem updated without cert renew
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| StarlingX |
Fix Released
|
Medium
|
Bin Qian | ||
Bug Description
Subcloud admin endpoint certificate is updated unexpectedly.
When system controller audits subcloud intermediate CA certificate, subcloud mistakenly updates the intermediate CA certificate even when the certificate has not been changed. Then it triggers an unnecessary renew of admin endpoint certificate.
Expected behavior:
admin endpoint certificate should be updated when it is renewed or subcloud intermediate CA certificate is renewed.
actual behavior:
admin endpoint certificate on subcloud is updated when a subcloud intermediate CA audit occurs, e.g, when system controller performs a swact.
Note that updated certificate is a valid certificate. New certificate provides same level of security over admin endpoint communication. This is not security vulnerability.
| Changed in starlingx: | |
| assignee: | nobody → Bin Qian (bqian20) |
| importance: | Undecided → Medium |
| tags: | added: stx.5.0 stx.distcloud stx.security |
| OpenStack Infra (hudson-openstack) wrote Fix merged to config (master) | #1 |
| Changed in starlingx: | |
| status: | In Progress → Fix Released |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit cb6379d4a61a226
Author: Bin Qian <email address hidden>
Date: Mon Nov 2 11:57:24 2020 -0500
Update admin endpoint intermediate CA only when changed
The API should verify if the intermediate CA certificate is changed before
updating.
Closes-bug: 1902552
Change-Id: Ic2d8c6068a6b5f
Signed-off-by: Bin Qian <email address hidden>