Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1688184 - Users should be notified about PKI expiry [NEEDINFO]
Summary: Users should be notified about PKI expiry
Keywords:
Status: NEW
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: PKI
Version: 4.3.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified vote
Target Milestone: ---
: ---
Assignee: Martin Perina
QA Contact: Lukas Svaty
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-13 10:46 UTC by Yedidyah Bar David
Modified: 2019-03-31 08:58 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
oVirt Team: Infra
didi: needinfo? (mperina)


Attachments (Terms of Use)

Description Yedidyah Bar David 2019-03-13 10:46:51 UTC
Description of problem:

$subject.

See also: bug 1210486, bug 1214860, bug 1450293, bug 1648190, and more recently bug 1686445.

We should somehow make sure users are notified not only by engine-setup, which is normally ran only for upgrades. Perhaps the engine itself should check and notify using the existing notification mechanisms, or perhaps some external cron job should, or something like that.

It might make sense to refactor the existing engine-setup code to be usable standalone for this.

Comment 1 Sandro Bonazzola 2019-03-20 08:38:38 UTC
I think best place would be the engine showing a warning when PKI is near to expire.

Comment 2 Martin Perina 2019-03-29 10:51:04 UTC
Engine is periodically (each day by default) checking of following certificates [1]:

1. Engine CA
2. Engine
3. Hosts which are Up or NonOperational

When any of those certificates are going to be expired we emit following messages into audit_log:

1. If certificate will expire in less than 30 days, we raise WARNING message into audit log
2. If certificate will expire in less than 7 days, we raise ALERT message into audit log
3. If certificate is expired, we raise ALERT message into audit log

We cannot do much about hosts which engine cannot communicate with, because hosts certificates are not stored on engine, but I see only 2 usecases here:

1. Hosts are temporarily unavailable (for example Installing, Connecting, NonResponsive, Kdumping, Reboot, ...), so they should be checked during next day(s)
2. Maintenance - administrators should be aware of hosts in maintenance (especially those which are going to stay in Maintenance for longer than 30 days), so they can execute Enroll Certificate to hosts in maintenance before activating them


So is there anything important missing?


[1] https://github.com/oVirt/ovirt-engine/blob/master/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CertificationValidityChecker.java#L65

Comment 3 Yedidyah Bar David 2019-03-31 08:58:46 UTC
(In reply to Martin Perina from comment #2)
> Engine is periodically (each day by default) checking of following
> certificates [1]:
> 
> 1. Engine CA
> 2. Engine
> 3. Hosts which are Up or NonOperational
> 
> When any of those certificates are going to be expired we emit following
> messages into audit_log:
> 
> 1. If certificate will expire in less than 30 days, we raise WARNING message
> into audit log
> 2. If certificate will expire in less than 7 days, we raise ALERT message
> into audit log
> 3. If certificate is expired, we raise ALERT message into audit log

All of this seems reasonable, and I'd close notabug, other than one thing.
engine-setup notifies and prompts under somewhat different conditions:
1. It checks more certs, and prompts if at least one requires action. These are: CA, engine, jboss (used for direct https access to it), websocket-proxy, apache, imageio-proxy.
2. It prompts if it expires in the next 365 days (much more than 30)
3. It prompts if it has no SAN (SubjectAlternativeName) extension (bug 1449084)
4. It prompts if the expires-not-before timestamp has no timezone (bug 1210486)

What do you think? Should we unify the tests? Not sure we must, but it might make sense. At least deciding on a single number of days is very easy (code-wise, not sure about docs/process) and makes sense...

The actual code testing this is in the file packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py , in the functions _expired and _ok_to_renew_cert .


Note You need to log in before you can comment on or make changes to this bug.