ApiListener#Start(): auto-renew CA on its owner

otherwise it would expire.

lib/remote/apilistener.cpp

@@ -248,7 +248,12 @@ void ApiListener::Start(bool runtimeCreated)
 
 	if (Utility::PathExists(GetIcingaCADir() + "/ca.key")) {
 		RenewOwnCert();
-		m_RenewOwnCertTimer->OnTimerExpired.connect([this](const Timer * const&) { RenewOwnCert(); });
+		RenewCA();
+
+		m_RenewOwnCertTimer->OnTimerExpired.connect([this](const Timer * const&) {
+			RenewOwnCert();
+			RenewCA();
+		});
 	} else {
 		m_RenewOwnCertTimer->OnTimerExpired.connect([this](const Timer * const&) {
 			JsonRpcConnection::SendCertificateRequest(nullptr, nullptr, String());
@@ -329,6 +334,31 @@ void ApiListener::RenewOwnCert()
 	UpdateSSLContext();
 }
 
+void ApiListener::RenewCA()
+{
+	auto certPath (GetCaDir() + "/ca.crt");
+	auto cert (GetX509Certificate(certPath));
+
+	if (IsCaUptodate(cert.get())) {
+		return;
+	}
+
+	Log(LogInformation, "ApiListener")
+		<< "Our CA will expire soon, but we own it. Renewing.";
+
+	cert = RenewCert(cert, true);
+
+	if (!cert) {
+		return;
+	}
+
+	auto certStr (CertificateToString(cert));
+
+	AtomicFile::Write(GetDefaultCaPath(), 0644, certStr);
+	AtomicFile::Write(certPath, 0644, certStr);
+	UpdateSSLContext();
+}
+
 void ApiListener::Stop(bool runtimeDeleted)
 {
 	m_ApiPackageIntegrityTimer->Stop(true);

lib/remote/apilistener.hpp

@@ -227,6 +227,7 @@ private:
 	void SyncLocalZoneDirs() const;
 	void SyncLocalZoneDir(const Zone::Ptr& zone) const;
 	void RenewOwnCert();
+	void RenewCA();
 
 	void SendConfigUpdate(const JsonRpcConnection::Ptr& aclient);