From a6cde364c57f787de2f8829d56a111a59869ce0f Mon Sep 17 00:00:00 2001 From: Kevin Earls Date: Thu, 12 Nov 2020 18:07:17 +0100 Subject: [PATCH] Force cert regeneration for self prov elasticsearch instances if SAN is invalid Signed-off-by: Kevin Earls --- scripts/cert_generation.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/scripts/cert_generation.sh b/scripts/cert_generation.sh index 1ae424a56..3b2e984ec 100644 --- a/scripts/cert_generation.sh +++ b/scripts/cert_generation.sh @@ -207,6 +207,12 @@ function generate_certs() { local component=$1 local extensions=${2:-} + # For TRACING-1631 - if we can't find the namespace in the cert it's bad, regenerate everything + if [ $REGENERATE_NEEDED = 0 ] && [ "${component}" == "elasticsearch" ] && [ -f ${WORKING_DIR}/logging-es.crt ] ; then + openssl x509 -in ${WORKING_DIR}/logging-es.crt -text | grep -q "DNS:elasticsearch.${NAMESPACE}.svc" + REGENERATE_NEEDED=$? + fi + if [ $REGENERATE_NEEDED = 1 ] || [ ! -f ${WORKING_DIR}/${component}.crt ] || ! openssl x509 -checkend 0 -noout -in ${WORKING_DIR}/${component}.crt; then generate_cert_config $component $extensions generate_request $component