[#MCOL-5454] cmapi self-signed cert are expired after one year.. which leads to "Connection refused" messages

[MCOL-5454] cmapi self-signed cert are expired after one year.. which leads to "Connection refused" messages Created: 2023-03-15 Updated: 2024-02-06
Status:	Stalled
Project:	MariaDB ColumnStore
Component/s:	cmapi
Affects Version/s:	23.02, 22.08.7
Fix Version/s:	23.10

Type:

Bug

Priority:

Major

Reporter:

Richard Stracke

Assignee:

Alan Mologorsky

Resolution:

Unresolved

Votes:

Labels:

None

Description

cmapi creates a certification , which is valid for one year.

def create_self_signed_certificate():

[...]

    ).not_valid_after(

        datetime.utcnow() + timedelta(days=365)

If certification is expired, connections not possible anymore,
debug.log and campi log throw many connections errors.

ConnectionRefusedError: [Errno 111] Connection refused

 Could not connect to PMS0: Connection refused from PMS0

columnstore_review warn:

The certificate /usr/share/columnstore/cmapi/cmapi_server/self-signed.crt for cmapi https is expired.

Workarround:

delete the certs on the server (or whatever  path is defined in cmapi_server.conf)

/usr/share/columnstore/cmapi/self-signed.crt

/usr/share/columnstore/cmapi/self-signed.key

and

systemctl restart mariadb-columnstore-cmapi

node per node.

cmapi will automatically recreate the certs.

cmapi should check , if certification is expired.
campi should warn, if a certification will be expire soon.
Either certification should be postponed automatically
or campi should log this issue clearly.

Maybe the living time of a certification and if cmapi can be automatically entended can be configured in the cmapi configuration file.

Comments

Comment by JiraAutomate [ 2023-12-15 ]

Automated message:
----------------------------
Since this issue has not been updated since 6 weeks, it's time to move it back to Stalled.

Generated at Thu Feb 08 02:58:00 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.