Handle expired certificate

Lei Yu yulei.sh at bytedance.com
Tue Jun 28 19:28:54 AEST 2022


This email is to discuss a case in certificate-manager and bmcweb
about the expired certificate.

The issue could be described in the below steps:

1. If BMC starts when the time is invalid (e.g. the date is in 1970),
bmcweb will create a default certificate with hostname `testhost`;
2. In later reboots when BMC gets a valid time, the bmcweb loads the
certificate as before.
3. phosphor-certificate-manager will throw on this certificate because
it's expired. Then there is no DBus object created for this
certificate (`/xyz/openbmc_project/certs/server/https/1`)
4. Due to the missing DBus object:
 * We will not be able to replace the certificate, e.g. by below
Redfish URI: /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
 * When the BMC gets the hostname, bmcweb will generate a new
self-signed certificate with the hostname and replace it, the
replacement fails as well.

The problem is actually related to Redfish URI "ReplaceCertificate",
that is to replace an existing certificate.
If an existing certificate expires and is rejected by
certificate-manager, we won't be able to replace it because it's not
on DBus anymore.

A patch is sent to
https://gerrit.openbmc.org/c/openbmc/phosphor-certificate-manager/+/54947
to allow expired certificates, comments are welcome.

-- 
BRs,
Lei YU


More information about the openbmc mailing list