From fbd5851b9de889fb88df6f10310ea9051c75beb9 Mon Sep 17 00:00:00 2001
From: Martin Perina <mperina@redhat.com>
Date: Mon, 8 Aug 2022 09:26:34 +0200
Subject: [PATCH] If engine CA is going to expire, skip checking other
 certificates

If engine CA is going to expired, then it doesn't make sense to check
other certificates, because engine CA needs to be renewed first and then
all other certificates should also be renewed.

Signed-off-by: Martin Perina <mperina@redhat.com>
---
 .../core/bll/CertificationValidityChecker.java      | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CertificationValidityChecker.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CertificationValidityChecker.java
index 52f49e3c78e..cc9feda9d35 100644
--- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CertificationValidityChecker.java
+++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CertificationValidityChecker.java
@@ -71,15 +71,18 @@ private void checkCertificationValidity() {
                     AuditLogType.ENGINE_CA_CERTIFICATION_HAS_EXPIRED,
                     AuditLogType.ENGINE_CA_CERTIFICATION_IS_ABOUT_TO_EXPIRE_ALERT,
                     AuditLogType.ENGINE_CA_CERTIFICATION_IS_ABOUT_TO_EXPIRE,
-                    null)
-                    ^ !checkCertificate((X509Certificate) EngineEncryptionUtils.getCertificate(),
-                    AuditLogType.ENGINE_CERTIFICATION_HAS_EXPIRED,
-                    AuditLogType.ENGINE_CERTIFICATION_IS_ABOUT_TO_EXPIRE_ALERT,
-                    AuditLogType.ENGINE_CERTIFICATION_IS_ABOUT_TO_EXPIRE,
                     null)) {
+                // if engine CA is going to expire, then it needs to be renewed first and only then it makes sense
+                // to renew other certificates
                 return;
             }
 
+            checkCertificate((X509Certificate) EngineEncryptionUtils.getCertificate(),
+                    AuditLogType.ENGINE_CERTIFICATION_HAS_EXPIRED,
+                    AuditLogType.ENGINE_CERTIFICATION_IS_ABOUT_TO_EXPIRE_ALERT,
+                    AuditLogType.ENGINE_CERTIFICATION_IS_ABOUT_TO_EXPIRE,
+                    null);
+
             // ovirt-provider-ovn certificate doesn't exist if OVN service is disabled during setup
             checkOptionalCertificate(EngineLocalConfig.getInstance().getPKIOvirtProviderOVNCert(),
                     AuditLogType.OVIRT_PROVIDER_OVN_CERTIFICATE_HAS_EXPIRED,