update of ssl_cert does not restart apache so old cert is still used
Bug #1927025 reported by
Xav Paice
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard Charm |
New
|
Undecided
|
Hernan Garcia |
Bug Description
Due to certificate expiry, we replaced the ssl_cert and ssl_key for openstack-dashboard (cs:openstack-
When testing, I saw that the certificate provided was still the old one:
curl -vvI https:/
...snip
* start date: May 15 15:46:30 2020 GMT
* expire date: May 15 16:16:29 2021 GMT
...snip
After restarting apache2 on the units, the correct cert was used.
This should be triggered by the config-changed hook.
tags: |
added: good-first-bug removed: onboarding |
Changed in charm-openstack-dashboard: | |
assignee: | nobody → Hernan Garcia (hernandanielg) |
To post a comment you must log in.
Triaged: High due to SSL cert 'breaking'.
The issue is that, I think, although the cert is changed, the actual config files don't change as the names of the certs are consistent. A couple of interesting ways to change this are (assuming this is the correct analysis):
1. Always just restart apache on the config-changed hook; this is the brute force and easiest method.
2. Add a context for the SSL key, cert, ca files such that they get tested for changes and thus the restart handler that is built into the config-change hook would automatically restart apache if they changed. This has the added complication of needing to change how the current contexts work due to identity-service relations being involved.
I'm guessing that 1. is the simplest.