Closed
Description
I'm on XAPI 24.19.2, to which I applied this fix so that the new fingerprint fields are filled.
However, this wasn't enough, and after a XAPI restart I still have a certificate for which these fields are empty:
[19:25 xcpng-ci-83-a1 ~]# xe certificate-param-list uuid=fd7be45e-f6f2-8f39-cf9d-ef6c86e9fc82
uuid ( RO) : fd7be45e-f6f2-8f39-cf9d-ef6c86e9fc82
type ( RO): ca
name ( RO): sdn-controller-ca.pem
host ( RO): <not in database>
not-before ( RO): 20210301T17:42:44Z
not-after ( RO): 20480716T17:42:44Z
fingerprint ( RO): 28:41:71:99:BF:C0:AD:7A:25:01:43:FE:6E:54:7F:26:77:04:28:83:B0:0C:4C:61:A6:C1:D7:CB:FF:B3:DD:E4
fingerprint_sha256 ( RO):
fingerprint_sha1 ( RO):
I'm not very good at reading ocaml changesets, but it looks like #5786 left aside user certificates and only fixed host certificates.
It turns out this has real consequences, as our automated tests detected. Consider the following scenario.
- Pool A was regularly updated. It has one or several user certificates, whose
fingerprint_sha256field remains empty. - A new host, B1, was freshly installed and also has the same user certificates
- The user wants to join B1 to Pool A.
- XAPI performs sanity checks on certificates, and notably it checks that certificates are consistent: a certificate present on both pools with the same name must have the same fingerprint. But recently you started checking the
fingerprint_sha256, which is empty on pool A and not empty in host B1. The check fails, and the pool join fails with : "The host joining the pool has different CA certificates from the pool coordinator while using the same name, uninstall them and try again".
The relevant code for this check is here: https://github.com/xapi-project/xen-api/blob/master/ocaml/xapi/xapi_pool.ml#L764
Metadata
Metadata
Assignees
Labels
No labels