Fix IPsec certificates renewal script
This commit fix IPsec certificates renewal script, which is set up as a cron job to run daily at mid night. Due to a recent change, the name of system-loca-ca certificate was changed to system-local-ca-1 and the function that returns the time left to the certificate expiration was not working properly. Test Plan: PASS: Change system date to simulate IPsec cert is about to expire, adjust the system to work properly all pods and services needed to run ipsec-client and run the script, verify IPsec cert, private key and trusted CA cert are renewed, and IKE SAs and CHILD SAs are re-established. PASS: Change the certificate /etc/swanctl/x509ca/system-local-ca-1.crt to simulate the IPsec trusted CA cert is different from the system-local-ca in k8s secret, run the script, verify the trusted CA and IPsec cert/key are renewed, and IKE SAs and CHILD SAs are re-established. Story: 2010940 Task: 49850 Change-Id: Iea88211221d55df763f3f86853d402fffcb58c68 Signed-off-by: Leonardo Mendes <Leonardo.MendesSantana@windriver.com>
This commit is contained in:
parent
7299fa6118
commit
2446746b41
|
@ -43,9 +43,8 @@ time_left_s_by_openssl() {
|
||||||
exp_date_s=$(date -d "${exp_date}" +%s)
|
exp_date_s=$(date -d "${exp_date}" +%s)
|
||||||
current_date_s=$(date +%s)
|
current_date_s=$(date +%s)
|
||||||
time_left_s=$((${exp_date_s}-${current_date_s}))
|
time_left_s=$((${exp_date_s}-${current_date_s}))
|
||||||
else
|
|
||||||
return 1
|
|
||||||
fi
|
fi
|
||||||
|
echo $time_left_s
|
||||||
}
|
}
|
||||||
|
|
||||||
# Check if the trusted CA cert is consistent with system-local-ca
|
# Check if the trusted CA cert is consistent with system-local-ca
|
||||||
|
@ -65,7 +64,7 @@ fi
|
||||||
|
|
||||||
# Retrieve the serial number of the IPsec trusted CA cert.
|
# Retrieve the serial number of the IPsec trusted CA cert.
|
||||||
if [ ${ERR_CA} -eq 0 ]; then
|
if [ ${ERR_CA} -eq 0 ]; then
|
||||||
serial_in_file=$(openssl x509 -in /etc/swanctl/x509ca/system-local-ca.crt -noout -serial)
|
serial_in_file=$(openssl x509 -in /etc/swanctl/x509ca/system-local-ca-1.crt -noout -serial)
|
||||||
|
|
||||||
if [ "x${serial_in_file}" = "x" ]; then
|
if [ "x${serial_in_file}" = "x" ]; then
|
||||||
LOG_error "Failed to retrieve serial number from CA cert file."
|
LOG_error "Failed to retrieve serial number from CA cert file."
|
||||||
|
@ -84,7 +83,7 @@ fi
|
||||||
# Check if it's time to renew IPsec certificate.
|
# Check if it's time to renew IPsec certificate.
|
||||||
if [ ${ERR_CERT} -eq 0 ]; then
|
if [ ${ERR_CERT} -eq 0 ]; then
|
||||||
time_left_s=$(time_left_s_by_openssl "${IPSEC_CERT_PATH}")
|
time_left_s=$(time_left_s_by_openssl "${IPSEC_CERT_PATH}")
|
||||||
if [ $? -ne 0 ]; then
|
if [ "x${time_left_s}" = "x" ]; then
|
||||||
LOG_error "Failed to retrieve expiry date from ${IPSEC_CERT_PATH}"
|
LOG_error "Failed to retrieve expiry date from ${IPSEC_CERT_PATH}"
|
||||||
ERR_CERT=1
|
ERR_CERT=1
|
||||||
fi
|
fi
|
||||||
|
|
Loading…
Reference in New Issue