Skip to content

Commit

Permalink
Regenerate self-provisioned ES TLS cert when it's outdated (#1301)
Browse files Browse the repository at this point in the history 
Force cert regeneration for self prov elasticsearch instances if SAN is invalid

Signed-off-by: Kevin Earls <kearls@redhat.com>
  • Loading branch information
@kevinearls
kevinearls authored Nov 13, 2020
1 parent b057274 commit 462dabe
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions scripts/cert_generation.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,12 @@ function generate_certs() {
local component=$1
local extensions=${2:-}

# For TRACING-1631 - if we can't find the namespace in the cert it's bad, regenerate everything
if [ $REGENERATE_NEEDED = 0 ] && [ "${component}" == "elasticsearch" ] && [ -f ${WORKING_DIR}/logging-es.crt ] ; then
openssl x509 -in ${WORKING_DIR}/logging-es.crt -text | grep -q "DNS:elasticsearch.${NAMESPACE}.svc"
REGENERATE_NEEDED=$?
fi

if [ $REGENERATE_NEEDED = 1 ] || [ ! -f ${WORKING_DIR}/${component}.crt ] || ! openssl x509 -checkend 0 -noout -in ${WORKING_DIR}/${component}.crt; then
generate_cert_config $component $extensions
generate_request $component
Expand Down

0 comments on commit 462dabe

Please sign in to comment.