commit 922fc973a1483c6aed7f8341a7c9a247eb378082
Author: Andy Ning <email address hidden>
Date: Mon Dec 12 16:26:34 2022 -0500
Fix admin endpoint root CA verification failure
In DC system, admin endpoint root CA certificate renewal on System
Controller will trigger subcloud intermediate CA cert and admin
endpoint cert renewal. During the renewals on subcloud, sysinv API
will verify the new root CA cert. But the current verification
algorithm is failing, because no certs in the subcloud can be used
to verify the self-signed root CA cert.
This change updated the algorithm to just verify by itself. Since
the renewal is done over existing HTTPS, the verification is
sufficient.
Test Plan:
PASS: DC admin endpoint root CA renewal is successful, dc-cert_sync_status is in in-sync state.
PASS: Lock/unlock controllers of Central Cloud, dc-cert_sync_status is in in-sync state.
PASS: Lock/unlock controllers of Subcloud, dc-cert_sync_status is in in-sync state.
Closes-Bug: 1999438
Signed-off-by: Andy Ning <email address hidden>
Change-Id: Id5c316849cd90cbc2fa44265bcb6658341460132
Reviewed: https:/ /review. opendev. org/c/starlingx /config/ +/867517 /opendev. org/starlingx/ config/ commit/ 922fc973a1483c6 aed7f8341a7c9a2 47eb378082
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 922fc973a1483c6 aed7f8341a7c9a2 47eb378082
Author: Andy Ning <email address hidden>
Date: Mon Dec 12 16:26:34 2022 -0500
Fix admin endpoint root CA verification failure
In DC system, admin endpoint root CA certificate renewal on System
Controller will trigger subcloud intermediate CA cert and admin
endpoint cert renewal. During the renewals on subcloud, sysinv API
will verify the new root CA cert. But the current verification
algorithm is failing, because no certs in the subcloud can be used
to verify the self-signed root CA cert.
This change updated the algorithm to just verify by itself. Since
the renewal is done over existing HTTPS, the verification is
sufficient.
Test Plan:
dc-cert_ sync_status is in in-sync state.
dc-cert_ sync_status is in in-sync state.
dc-cert_ sync_status is in in-sync state.
PASS: DC admin endpoint root CA renewal is successful,
PASS: Lock/unlock controllers of Central Cloud,
PASS: Lock/unlock controllers of Subcloud,
Closes-Bug: 1999438 bc2fa44265bcb66 58341460132
Signed-off-by: Andy Ning <email address hidden>
Change-Id: Id5c316849cd90c