diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp index e36cd95d0..df0f872b4 100644 --- a/lib/base/tlsutility.cpp +++ b/lib/base/tlsutility.cpp @@ -752,6 +752,20 @@ std::shared_ptr CreateCertIcingaCA(const std::shared_ptr& cert) return CreateCertIcingaCA(pkey.get(), X509_get_subject_name(cert.get())); } +bool IsCertUptodate(const std::shared_ptr& cert) +{ + time_t now; + time(&now); + + /* auto-renew all certificates which were created before 2017 to force an update of the CA, + * because Icinga versions older than 2.4 sometimes create certificates with an invalid + * serial number. */ + time_t forceRenewalEnd = 1483228800; /* January 1st, 2017 */ + time_t renewalStart = now + 30 * 24 * 60 * 60; + + return X509_cmp_time(X509_get_notBefore(cert.get()), &forceRenewalEnd) != -1 && X509_cmp_time(X509_get_notAfter(cert.get()), &renewalStart) != -1; +} + String CertificateToString(const std::shared_ptr& cert) { BIO *mem = BIO_new(BIO_s_mem()); diff --git a/lib/base/tlsutility.hpp b/lib/base/tlsutility.hpp index c62f5cfad..6ed84add5 100644 --- a/lib/base/tlsutility.hpp +++ b/lib/base/tlsutility.hpp @@ -55,6 +55,7 @@ String CertificateToString(const std::shared_ptr& cert); std::shared_ptr StringToCertificate(const String& cert); std::shared_ptr CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject); std::shared_ptr CreateCertIcingaCA(const std::shared_ptr& cert); +bool IsCertUptodate(const std::shared_ptr& cert); String PBKDF2_SHA1(const String& password, const String& salt, int iterations); String PBKDF2_SHA256(const String& password, const String& salt, int iterations); diff --git a/lib/remote/jsonrpcconnection-pki.cpp b/lib/remote/jsonrpcconnection-pki.cpp index baa115d69..c38c96d0b 100644 --- a/lib/remote/jsonrpcconnection-pki.cpp +++ b/lib/remote/jsonrpcconnection-pki.cpp @@ -76,16 +76,7 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona } if (signedByCA) { - time_t now; - time(&now); - - /* auto-renew all certificates which were created before 2017 to force an update of the CA, - * because Icinga versions older than 2.4 sometimes create certificates with an invalid - * serial number. */ - time_t forceRenewalEnd = 1483228800; /* January 1st, 2017 */ - time_t renewalStart = now + 30 * 24 * 60 * 60; - - if (X509_cmp_time(X509_get_notBefore(cert.get()), &forceRenewalEnd) != -1 && X509_cmp_time(X509_get_notAfter(cert.get()), &renewalStart) != -1) { + if (IsCertUptodate(cert)) { Log(LogInformation, "JsonRpcConnection") << "The certificate for CN '" << cn << "' is valid and uptodate. Skipping automated renewal.";