> if old_cert and old_cert == ca_cert:
> log("CA cert is the same as installed version", level=INFO)
Wondering why those do not match for 2. below.
> 1. update-status hook shouldn't change the files. It should be read-only.
> 2. Even with other hooks, the charm shouldn't touch /etc/ssl/certs or /etc/ssl/certs/ca-certificates.crt if SSL related configurations are unchanged. Touching /etc/ssl/certs causes the service disruption as you see above.
https:/ /github. com/openstack/ charm-neutron- api/blob/ stable/ 18.02/hooks/ charmhelpers/ contrib/ hahelpers/ apache. py#L84- L95
$ sha256sum /usr/local/ share/ca- certificates/ keystone_ juju_ca_ cert.crt 911cae938a34a10 f5466df4f6ffef6 4b0871800ef1f65 b0ff /usr/local/ share/ca- certificates/ keystone_ juju_ca_ cert.crt
f2d19eb104885f6
$ head -n1 /usr/local/ share/ca- certificates/ keystone_ juju_ca_ cert.crt
-----BEGIN CERTIFICATE-----
^^^ plain text.
https:/ /github. com/openstack/ charm-neutron- api/blob/ stable/ 18.02/hooks/ charmhelpers/ contrib/ openstack/ context. py#L803- L806 /github. com/openstack/ charm-neutron- api/blob/ stable/ 18.02/hooks/ charmhelpers/ contrib/ hahelpers/ apache. py#L63- L73
https:/
$ juju run --unit neutron-api/0 'config-get ssl_ca | base64 -d | sha256sum' 911cae938a34a10 f5466df4f6ffef6 4b0871800ef1f65 b0ff -
f2d19eb104885f6
^^^ with base64 decode, hashsum matches.
> if old_cert and old_cert == ca_cert:
> log("CA cert is the same as installed version", level=INFO)
Wondering why those do not match for 2. below.
> 1. update-status hook shouldn't change the files. It should be read-only. certs/ca- certificates. crt if SSL related configurations are unchanged. Touching /etc/ssl/certs causes the service disruption as you see above.
> 2. Even with other hooks, the charm shouldn't touch /etc/ssl/certs or /etc/ssl/
1. is still valid though.