Active certificate alarms of type ssl_ca are not cleared
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Low
|
ayyappa |
Bug Description
Brief Description
-----------------
Active certificate alarms of type ssl_ca are not cleared on the system if the certificate is already deleted
Severity
--------
minor
Steps to Reproduce
------------------
1)create the following cnf file
cat <<EOF > cert_conf.cnf
[ req ]
default_bits = 4096
encrypt_key = no
prompt = no
default_md = sha256
distinguished_name = dn
[ dn ]
C = CA
ST = Ontario
L = Windsor
O = WindRiver
CN = cert about to expire CA
[ v3_ca ]
basicConstraints = critical, CA:TRUE
subjectKeyIdent
authorityKeyIde
keyUsage = critical, keyEncipherment, digitalSignature, keyCertSign
EOF
2)create the certificate for 29days
openssl req -x509 -new -sha512 -days 29 -newkey rsa:4096 -keyout cert.key -out cert.crt -config cert_conf.cnf -extensions v3_ca
3)Now install the "cert.crt" on the system with mode "ssl_ca"
system certificate-install -m ssl_ca cert.crt
4)run "sudo sm-restart servcie cert-alarm" to run the full audit instead of waiting 24h
5)check the alarm is raised
[sysadmin@
+------
| UUID | Alarm | Reason Text | Entity ID | Severity | Time Stamp |
| | ID | | | | |
+------
| e4bdfc6a-
| | 200 | ae7a28f8312f' (mode=ssl_ca) is expiring soon on 2024-01-11, | 4d32fd12-
| | | 21:36:54 | | | |
6)now delete the certificate
system certificate-
7)now wait for "active alarm cert-alarm audit" to run, by default this runs every hour
8)Notice that the alarm has not deleted
Expected Behavior
------------------
ssl_ca alarms should be deleted if it is uninstalled
Actual Behavior
----------------
ssl_ca alarms are not deleted if it is uninstalled
Reproducibility
---------------
100%
System Configuration
-------
all system configurations
Branch/Pull Time/Commit
-------
na
Last Pass
---------
na
Timestamp/Logs
--------------
na
Test Activity
-------------
normal use
Workaround
----------
run "sudo sm-restart service cert-alarm" or wait for full audit to run to clear the alarm
Changed in starlingx: | |
importance: | Undecided → Low |
tags: | added: stx.9.0 stx.security |
Changed in starlingx: | |
assignee: | nobody → ayyappa (mantri425) |
Fix proposed to branch: master /review. opendev. org/c/starlingx /config/ +/904235
Review: https:/