Renew certificates also periodically

lib/base/tlsutility.cpp

@@ -623,7 +623,7 @@ std::shared_ptr<X509> CreateCert(EVP_PKEY *pubkey, X509_NAME *subject, X509_NAME
 	X509 *cert = X509_new();
 	X509_set_version(cert, 2);
 	X509_gmtime_adj(X509_get_notBefore(cert), 0);
-	X509_gmtime_adj(X509_get_notAfter(cert), (ca ? 15 * 365 : 397) * 24 * 60 * 60);
+	X509_gmtime_adj(X509_get_notAfter(cert), ca ? ROOT_VALID_FOR : LEAF_VALID_FOR);
 	X509_set_pubkey(cert, pubkey);
 
 	X509_set_subject_name(cert, subject);
@@ -761,7 +761,7 @@ bool IsCertUptodate(const std::shared_ptr<X509>& cert)
 	 * because Icinga versions older than 2.4 sometimes create certificates with an invalid
 	 * serial number. */
 	time_t forceRenewalEnd = 1483228800; /* January 1st, 2017 */
-	time_t renewalStart = now + 30 * 24 * 60 * 60;
+	time_t renewalStart = now + RENEW_THRESHOLD;
 
 	return X509_cmp_time(X509_get_notBefore(cert.get()), &forceRenewalEnd) != -1 && X509_cmp_time(X509_get_notAfter(cert.get()), &renewalStart) != -1;
 }

lib/base/tlsutility.hpp

@@ -30,6 +30,11 @@ const char * const DEFAULT_TLS_CIPHERS = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RS
 const char * const DEFAULT_TLS_PROTOCOLMIN = "TLSv1.2";
 const unsigned int DEFAULT_CONNECT_TIMEOUT = 15;
 
+const auto ROOT_VALID_FOR  = 60 * 60 * 24 * 365 * 15;
+const auto LEAF_VALID_FOR  = 60 * 60 * 24 * 397;
+const auto RENEW_THRESHOLD = 60 * 60 * 24 * 30;
+const auto RENEW_INTERVAL  = 60 * 60 * 24;
+
 void InitializeOpenSSL();
 
 String GetOpenSSLVersion();

lib/remote/apilistener.cpp

@@ -235,7 +235,20 @@ void ApiListener::Start(bool runtimeCreated)
 		<< "'" << GetName() << "' started.";
 
 	SyncLocalZoneDirs();
-	RenewOwnCert();
+
+	m_RenewOwnCertTimer = new Timer();
+
+	if (Utility::PathExists(GetIcingaCADir() + "/ca.key")) {
+		RenewOwnCert();
+		m_RenewOwnCertTimer->OnTimerExpired.connect([this](const Timer * const&) { RenewOwnCert(); });
+	} else {
+		m_RenewOwnCertTimer->OnTimerExpired.connect([this](const Timer * const&) {
+			JsonRpcConnection::SendCertificateRequest(nullptr, nullptr, String());
+		});
+	}
+
+	m_RenewOwnCertTimer->SetInterval(RENEW_INTERVAL);
+	m_RenewOwnCertTimer->Start();
 
 	ObjectImpl<ApiListener>::Start(runtimeCreated);
 
@@ -288,10 +301,6 @@ void ApiListener::Start(bool runtimeCreated)
 
 void ApiListener::RenewOwnCert()
 {
-	if (!Utility::PathExists(GetIcingaCADir() + "/ca.key")) {
-		return;
-	}
-
 	auto certPath (GetDefaultCertPath());
 	auto cert (GetX509Certificate(certPath));
 
@@ -832,9 +841,6 @@ void ApiListener::SyncClient(const JsonRpcConnection::Ptr& aclient, const Endpoi
 		auto parent (myZone->GetParent());
 
 		if (parent == eZone || !parent && eZone == myZone) {
-			Log(LogInformation, "ApiListener")
-				<< "Requesting new certificate for this Icinga instance from endpoint '" << endpoint->GetName() << "'.";
-
 			JsonRpcConnection::SendCertificateRequest(aclient, nullptr, String());
 
 			if (Utility::PathExists(ApiListener::GetCertificateRequestsDir())) {

lib/remote/apilistener.hpp

@@ -171,6 +171,7 @@ private:
 	Timer::Ptr m_AuthorityTimer;
 	Timer::Ptr m_CleanupCertificateRequestsTimer;
 	Timer::Ptr m_ApiPackageIntegrityTimer;
+	Timer::Ptr m_RenewOwnCertTimer;
 
 	Endpoint::Ptr m_LocalEndpoint;
 

lib/remote/jsonrpcconnection-pki.cpp

@@ -266,6 +266,17 @@ void JsonRpcConnection::SendCertificateRequest(const JsonRpcConnection::Ptr& acl
 
 	/* Path is empty if this is our own request. */
 	if (path.IsEmpty()) {
+		{
+			Log msg (LogInformation, "JsonRpcConnection");
+			msg << "Requesting new certificate for this Icinga instance";
+
+			if (aclient) {
+				msg << " from endpoint '" << aclient->GetIdentity() << "'";
+			}
+
+			msg << ".";
+		}
+
 		String ticketPath = ApiListener::GetCertsDir() + "/ticket";
 
 		std::ifstream fp(ticketPath.CStr());