If engine CA is going to expire, skip checking other certificates

If engine CA is going to expired, then it doesn't make sense to check
other certificates, because engine CA needs to be renewed first and then
all other certificates should also be renewed.

Signed-off-by: Martin Perina <[email protected]>

backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CertificationValidityChecker.java

@@ -71,15 +71,18 @@ private void checkCertificationValidity() {
                     AuditLogType.ENGINE_CA_CERTIFICATION_HAS_EXPIRED,
                     AuditLogType.ENGINE_CA_CERTIFICATION_IS_ABOUT_TO_EXPIRE_ALERT,
                     AuditLogType.ENGINE_CA_CERTIFICATION_IS_ABOUT_TO_EXPIRE,
-                    null)
-                    ^ !checkCertificate((X509Certificate) EngineEncryptionUtils.getCertificate(),
-                    AuditLogType.ENGINE_CERTIFICATION_HAS_EXPIRED,
-                    AuditLogType.ENGINE_CERTIFICATION_IS_ABOUT_TO_EXPIRE_ALERT,
-                    AuditLogType.ENGINE_CERTIFICATION_IS_ABOUT_TO_EXPIRE,
                     null)) {
+                // if engine CA is going to expire, then it needs to be renewed first and only then it makes sense
+                // to renew other certificates
                 return;
             }
 
+            checkCertificate((X509Certificate) EngineEncryptionUtils.getCertificate(),
+                    AuditLogType.ENGINE_CERTIFICATION_HAS_EXPIRED,
+                    AuditLogType.ENGINE_CERTIFICATION_IS_ABOUT_TO_EXPIRE_ALERT,
+                    AuditLogType.ENGINE_CERTIFICATION_IS_ABOUT_TO_EXPIRE,
+                    null);
+
             // ovirt-provider-ovn certificate doesn't exist if OVN service is disabled during setup
             checkOptionalCertificate(EngineLocalConfig.getInstance().getPKIOvirtProviderOVNCert(),
                     AuditLogType.OVIRT_PROVIDER_OVN_CERTIFICATE_HAS_EXPIRED,