StarlingX

  1. Bug #1999438
  2. Comment #2

Comment 2 for bug 1999438

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/c/starlingx/config/+/867517
Committed: https://opendev.org/starlingx/config/commit/922fc973a1483c6aed7f8341a7c9a247eb378082
Submitter: "Zuul (22348)"
Branch: master

commit 922fc973a1483c6aed7f8341a7c9a247eb378082
Author: Andy Ning <email address hidden>
Date: Mon Dec 12 16:26:34 2022 -0500

    Fix admin endpoint root CA verification failure

    In DC system, admin endpoint root CA certificate renewal on System
    Controller will trigger subcloud intermediate CA cert and admin
    endpoint cert renewal. During the renewals on subcloud, sysinv API
    will verify the new root CA cert. But the current verification
    algorithm is failing, because no certs in the subcloud can be used
    to verify the self-signed root CA cert.

    This change updated the algorithm to just verify by itself. Since
    the renewal is done over existing HTTPS, the verification is
    sufficient.

    Test Plan:
    PASS: DC admin endpoint root CA renewal is successful,
          dc-cert_sync_status is in in-sync state.
    PASS: Lock/unlock controllers of Central Cloud,
          dc-cert_sync_status is in in-sync state.
    PASS: Lock/unlock controllers of Subcloud,
          dc-cert_sync_status is in in-sync state.

    Closes-Bug: 1999438
    Signed-off-by: Andy Ning <email address hidden>
    Change-Id: Id5c316849cd90cbc2fa44265bcb6658341460132