From bc778116e9f05a7860847881f306a90012970b1a Mon Sep 17 00:00:00 2001
From: "Alexander A. Klimov" <alexander.klimov@icinga.com>
Date: Fri, 27 Oct 2023 18:24:29 +0200
Subject: [PATCH] ApiListener#Start(): auto-renew CA on its owner

otherwise it would expire.
---
 lib/remote/apilistener.cpp | 32 +++++++++++++++++++++++++++++++-
 lib/remote/apilistener.hpp |  1 +
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/lib/remote/apilistener.cpp b/lib/remote/apilistener.cpp
index f0ac42cc4..85443e218 100644
--- a/lib/remote/apilistener.cpp
+++ b/lib/remote/apilistener.cpp
@@ -248,7 +248,12 @@ void ApiListener::Start(bool runtimeCreated)
 
 	if (Utility::PathExists(GetIcingaCADir() + "/ca.key")) {
 		RenewOwnCert();
-		m_RenewOwnCertTimer->OnTimerExpired.connect([this](const Timer * const&) { RenewOwnCert(); });
+		RenewCA();
+
+		m_RenewOwnCertTimer->OnTimerExpired.connect([this](const Timer * const&) {
+			RenewOwnCert();
+			RenewCA();
+		});
 	} else {
 		m_RenewOwnCertTimer->OnTimerExpired.connect([this](const Timer * const&) {
 			JsonRpcConnection::SendCertificateRequest(nullptr, nullptr, String());
@@ -329,6 +334,31 @@ void ApiListener::RenewOwnCert()
 	UpdateSSLContext();
 }
 
+void ApiListener::RenewCA()
+{
+	auto certPath (GetCaDir() + "/ca.crt");
+	auto cert (GetX509Certificate(certPath));
+
+	if (IsCaUptodate(cert.get())) {
+		return;
+	}
+
+	Log(LogInformation, "ApiListener")
+		<< "Our CA will expire soon, but we own it. Renewing.";
+
+	cert = RenewCert(cert, true);
+
+	if (!cert) {
+		return;
+	}
+
+	auto certStr (CertificateToString(cert));
+
+	AtomicFile::Write(GetDefaultCaPath(), 0644, certStr);
+	AtomicFile::Write(certPath, 0644, certStr);
+	UpdateSSLContext();
+}
+
 void ApiListener::Stop(bool runtimeDeleted)
 {
 	m_ApiPackageIntegrityTimer->Stop(true);
diff --git a/lib/remote/apilistener.hpp b/lib/remote/apilistener.hpp
index 48e7e4c42..fced0a8af 100644
--- a/lib/remote/apilistener.hpp
+++ b/lib/remote/apilistener.hpp
@@ -227,6 +227,7 @@ private:
 	void SyncLocalZoneDirs() const;
 	void SyncLocalZoneDir(const Zone::Ptr& zone) const;
 	void RenewOwnCert();
+	void RenewCA();
 
 	void SendConfigUpdate(const JsonRpcConnection::Ptr& aclient);