StarlingX

Active certificate alarms of type ssl_ca are not cleared

Bug #2047165 reported by ayyappa
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
ayyappa

Bug Description

Brief Description
-----------------
Active certificate alarms of type ssl_ca are not cleared on the system if the certificate is already deleted

Severity
--------
minor

Steps to Reproduce
------------------
1)create the following cnf file

cat <<EOF > cert_conf.cnf
[ req ]
default_bits = 4096
encrypt_key = no
prompt = no
default_md = sha256
distinguished_name = dn

[ dn ]
C = CA
ST = Ontario
L = Windsor
O = WindRiver
CN = cert about to expire CA

[ v3_ca ]
basicConstraints = critical, CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
keyUsage = critical, keyEncipherment, digitalSignature, keyCertSign
EOF

2)create the certificate for 29days

openssl req -x509 -new -sha512 -days 29 -newkey rsa:4096 -keyout cert.key -out cert.crt -config cert_conf.cnf -extensions v3_ca

3)Now install the "cert.crt" on the system with mode "ssl_ca"

system certificate-install -m ssl_ca cert.crt

4)run "sudo sm-restart servcie cert-alarm" to run the full audit instead of waiting 24h

5)check the alarm is raised

[sysadmin@controller-0 ~(keystone_admin)]$ fm alarm-list --uuid
+--------------------------------------+-------+---------------------------------------------------------------+--------------------------------------+----------+-------------------+
| UUID | Alarm | Reason Text | Entity ID | Severity | Time Stamp |
| | ID | | | | |
+--------------------------------------+-------+---------------------------------------------------------------+--------------------------------------+----------+-------------------+
| e4bdfc6a-a10a-47a9-ba37-d9ed49d2f4fc | 500. | Certificate 'system certificate-show 4d32fd12-4a13-45cb-b46e- | system.certificate.mode=ssl_ca.uuid= | major | 2023-12-14T17:46: |
| | 200 | ae7a28f8312f' (mode=ssl_ca) is expiring soon on 2024-01-11, | 4d32fd12-4a13-45cb-b46e-ae7a28f8312f | | 10.968421 |
| | | 21:36:54 | | | |

6)now delete the certificate

system certificate-uninstall -m ssl_ca e4bdfc6a-a10a-47a9-ba37-d9ed49d2f4fc

7)now wait for "active alarm cert-alarm audit" to run, by default this runs every hour

8)Notice that the alarm has not deleted

Expected Behavior
------------------
ssl_ca alarms should be deleted if it is uninstalled

Actual Behavior
----------------
ssl_ca alarms are not deleted if it is uninstalled

Reproducibility
---------------
100%

System Configuration
--------------------
all system configurations

Branch/Pull Time/Commit
-----------------------
na

Last Pass
---------
na

Timestamp/Logs
--------------
na

Test Activity
-------------
normal use

Workaround
----------
run "sudo sm-restart service cert-alarm" or wait for full audit to run to clear the alarm

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/config/+/904235

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/c/starlingx/config/+/904235
Committed: https://opendev.org/starlingx/config/commit/4134359426d0f53d40b5913d4a084f0a895daa78
Submitter: "Zuul (22348)"
Branch: master

commit 4134359426d0f53d40b5913d4a084f0a895daa78
Author: amantri <email address hidden>
Date: Thu Dec 21 13:40:19 2023 -0500

    Clear ssl_ca certificate alarm

    Currently we are not clearing the ssl_ca certificate
    expiring/expired alarm on active alarm audit when the
    certificate is already uninstalled, this change clears
    the alarm if the expiring/expired certificate is deleted
    on active alarm audit.

    Test Plan:
    PASS: Install a ssl_ca certificate expires in 30days,
          run the full audit to raise the alarm, now
          uninstall the certificate and notice the alarm is
          cleared on active alarm audit.
    PASS: Install multiple expiring ssl_ca certificates,
          run full audit to raise the alarms, now uninstall
          one ssl_ca certificate, when the active alarm
          audit is run verify only uninstalled certificate
          alarm is cleared.

    Closes-bug: 2047165

    Change-Id: Icb7d4814eedba3202b92eda37fb17e46f93d68b7
    Signed-off-by: amantri <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Low
tags: added: stx.9.0 stx.security
Changed in starlingx:
assignee: nobody → ayyappa (mantri425)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.