mirror of
https://github.com/Icinga/icinga2.git
synced 2025-07-23 13:45:04 +02:00
Introduce IsCertUptodate()
This commit is contained in:
parent
1ffc9f8120
commit
83911d0e05
@ -752,6 +752,20 @@ std::shared_ptr<X509> CreateCertIcingaCA(const std::shared_ptr<X509>& cert)
|
|||||||
return CreateCertIcingaCA(pkey.get(), X509_get_subject_name(cert.get()));
|
return CreateCertIcingaCA(pkey.get(), X509_get_subject_name(cert.get()));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool IsCertUptodate(const std::shared_ptr<X509>& cert)
|
||||||
|
{
|
||||||
|
time_t now;
|
||||||
|
time(&now);
|
||||||
|
|
||||||
|
/* auto-renew all certificates which were created before 2017 to force an update of the CA,
|
||||||
|
* because Icinga versions older than 2.4 sometimes create certificates with an invalid
|
||||||
|
* serial number. */
|
||||||
|
time_t forceRenewalEnd = 1483228800; /* January 1st, 2017 */
|
||||||
|
time_t renewalStart = now + 30 * 24 * 60 * 60;
|
||||||
|
|
||||||
|
return X509_cmp_time(X509_get_notBefore(cert.get()), &forceRenewalEnd) != -1 && X509_cmp_time(X509_get_notAfter(cert.get()), &renewalStart) != -1;
|
||||||
|
}
|
||||||
|
|
||||||
String CertificateToString(const std::shared_ptr<X509>& cert)
|
String CertificateToString(const std::shared_ptr<X509>& cert)
|
||||||
{
|
{
|
||||||
BIO *mem = BIO_new(BIO_s_mem());
|
BIO *mem = BIO_new(BIO_s_mem());
|
||||||
|
@ -55,6 +55,7 @@ String CertificateToString(const std::shared_ptr<X509>& cert);
|
|||||||
std::shared_ptr<X509> StringToCertificate(const String& cert);
|
std::shared_ptr<X509> StringToCertificate(const String& cert);
|
||||||
std::shared_ptr<X509> CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject);
|
std::shared_ptr<X509> CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject);
|
||||||
std::shared_ptr<X509> CreateCertIcingaCA(const std::shared_ptr<X509>& cert);
|
std::shared_ptr<X509> CreateCertIcingaCA(const std::shared_ptr<X509>& cert);
|
||||||
|
bool IsCertUptodate(const std::shared_ptr<X509>& cert);
|
||||||
|
|
||||||
String PBKDF2_SHA1(const String& password, const String& salt, int iterations);
|
String PBKDF2_SHA1(const String& password, const String& salt, int iterations);
|
||||||
String PBKDF2_SHA256(const String& password, const String& salt, int iterations);
|
String PBKDF2_SHA256(const String& password, const String& salt, int iterations);
|
||||||
|
@ -76,16 +76,7 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (signedByCA) {
|
if (signedByCA) {
|
||||||
time_t now;
|
if (IsCertUptodate(cert)) {
|
||||||
time(&now);
|
|
||||||
|
|
||||||
/* auto-renew all certificates which were created before 2017 to force an update of the CA,
|
|
||||||
* because Icinga versions older than 2.4 sometimes create certificates with an invalid
|
|
||||||
* serial number. */
|
|
||||||
time_t forceRenewalEnd = 1483228800; /* January 1st, 2017 */
|
|
||||||
time_t renewalStart = now + 30 * 24 * 60 * 60;
|
|
||||||
|
|
||||||
if (X509_cmp_time(X509_get_notBefore(cert.get()), &forceRenewalEnd) != -1 && X509_cmp_time(X509_get_notAfter(cert.get()), &renewalStart) != -1) {
|
|
||||||
|
|
||||||
Log(LogInformation, "JsonRpcConnection")
|
Log(LogInformation, "JsonRpcConnection")
|
||||||
<< "The certificate for CN '" << cn << "' is valid and uptodate. Skipping automated renewal.";
|
<< "The certificate for CN '" << cn << "' is valid and uptodate. Skipping automated renewal.";
|
||||||
|
Loading…
x
Reference in New Issue
Block a user