starlingx
/
config
Code Issues Proposed changes

Fix IPsec certificates renewal script 

This commit fix IPsec certificates renewal script, which is set up
as a cron job to run daily at mid night. Due to a recent change, the
name of system-loca-ca certificate was changed to system-local-ca-1
and the function that returns the time left to the certificate
expiration was not working properly.

Test Plan:
PASS: Change system date to simulate IPsec cert is about to expire,
      adjust the system to work properly all pods and services needed
      to run ipsec-client and run the script, verify IPsec cert,
      private key and trusted CA cert are renewed, and IKE SAs and
      CHILD SAs are re-established.
PASS: Change the certificate /etc/swanctl/x509ca/system-local-ca-1.crt
      to simulate the IPsec trusted CA cert is different from
      the system-local-ca in k8s secret, run the script, verify the
      trusted CA and IPsec cert/key are renewed, and IKE SAs and CHILD
      SAs are re-established.

Story: 2010940
Task: 49850

Change-Id: Iea88211221d55df763f3f86853d402fffcb58c68
Signed-off-by: Leonardo Mendes <Leonardo.MendesSantana@windriver.com>
This commit is contained in:
Leonardo Mendes 2024-04-10 13:35:33 -03:00
parent 7299fa6118
commit 2446746b41
1 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
sysinv/sysinv/sysinv/scripts/ipsec-cert-renew.sh
View File

@ -43,9 +43,8 @@ time_left_s_by_openssl() {
exp_date_s=$(date -d "${exp_date}" +%s)
current_date_s=$(date +%s)
time_left_s=$((${exp_date_s}-${current_date_s}))
else
return 1
fi
echo $time_left_s
}
# Check if the trusted CA cert is consistent with system-local-ca
@ -65,7 +64,7 @@ fi
# Retrieve the serial number of the IPsec trusted CA cert.
if [ ${ERR_CA} -eq 0 ]; then
serial_in_file=$(openssl x509 -in /etc/swanctl/x509ca/system-local-ca.crt -noout -serial)
serial_in_file=$(openssl x509 -in /etc/swanctl/x509ca/system-local-ca-1.crt -noout -serial)
if [ "x${serial_in_file}" = "x" ]; then
LOG_error "Failed to retrieve serial number from CA cert file."
@ -84,7 +83,7 @@ fi
# Check if it's time to renew IPsec certificate.
if [ ${ERR_CERT} -eq 0 ]; then
time_left_s=$(time_left_s_by_openssl "${IPSEC_CERT_PATH}")
if [ $? -ne 0 ]; then
if [ "x${time_left_s}" = "x" ]; then
LOG_error "Failed to retrieve expiry date from ${IPSEC_CERT_PATH}"
ERR_CERT=1
fi