Module: check_mk
Branch: master
Commit: 9e00cf47a30f28dad94ce11c4c91bcf0bcacac8e
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=9e00cf47a30f28…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Jun 21 18:32:32 2017 +0200
4891 FIX Trusted CA certificate file is now updated during all WATO activations
The trusted CA file (var/ssl/ca-certificates.crt) which is needed for validating
SSL certificates e.g. when doing WATO syncs or using SSL during monitoring is now
written during each WATO activation, regardless of the changes which are activated.
Change-Id: Ia85ef320cfd7a32d1981aeffacc8573b660d5b2e
---
.werks/4891 | 13 +++++++++++++
web/htdocs/watolib.py | 29 ++++++++++++++++++++++++-----
2 files changed, 37 insertions(+), 5 deletions(-)
diff --git a/.werks/4891 b/.werks/4891
new file mode 100644
index 0000000..3bafee7
--- /dev/null
+++ b/.werks/4891
@@ -0,0 +1,13 @@
+Title: Trusted CA certificate file is now updated during all WATO activations
+Level: 1
+Component: wato
+Class: fix
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.5.0i1
+Date: 1498061583
+
+The trusted CA file (var/ssl/ca-certificates.crt) which is needed for validating
+SSL certificates e.g. when doing WATO syncs or using SSL during monitoring is now
+written during each WATO activation, regardless of the changes which are activated.
diff --git a/web/htdocs/watolib.py b/web/htdocs/watolib.py
index d138830..f96f4d0 100644
--- a/web/htdocs/watolib.py
+++ b/web/htdocs/watolib.py
@@ -258,6 +258,7 @@ def get_number_of_pending_changes():
class ConfigDomain(object):
needs_sync = True
needs_activation = True
+ always_activate = False
ident = None
in_global_settings = True
@@ -280,6 +281,11 @@ class ConfigDomain(object):
@classmethod
+ def get_always_activate_domain_idents(cls):
+ return [ d.ident for d in cls.all_classes() if d.always_activate ]
+
+
+ @classmethod
def get_class(cls, ident):
for domain_class in cls.all_classes():
if domain_class.ident == ident:
@@ -399,6 +405,7 @@ class ConfigDomainEventConsole(ConfigDomain):
class ConfigDomainCACertificates(ConfigDomain):
needs_sync = True
needs_activation = True
+ always_activate = True # Execute this on all sites on all activations
ident = "ca-certificates"
trusted_cas_file = "%s/var/ssl/ca-certificates.crt" % cmk.paths.omd_root
@@ -423,23 +430,33 @@ class ConfigDomainCACertificates(ConfigDomain):
return os.path.join(self.config_dir(), "ca-certificates.mk")
+ def save(self, settings, site_specific=False):
+ super(ConfigDomainCACertificates, self).save(settings,
site_specific=site_specific)
+
+ # We need to activate this immediately to make syncs to WATO slave sites
+ # possible right after changing the option
+ configuration_warnings =
self._update_trusted_cas(settings["trusted_certificate_authorities"])
+ if configuration_warnings:
+ raise MKUserError(None, ", ".join(configuration_warnings))
+
+
def activate(self):
try:
- return self._update_trusted_cas()
+ return self._update_trusted_cas(config.trusted_certificate_authorities)
except Exception, e:
log_exception()
return ["Failed to create trusted CA file '%s': %s" %
(self.trusted_cas_file, traceback.format_exc())]
- def _update_trusted_cas(self):
+ def _update_trusted_cas(self, current_config):
trusted_cas, errors = [], []
- if config.trusted_certificate_authorities["use_system_wide_cas"]:
+ if current_config["use_system_wide_cas"]:
trusted, errors = self._get_system_wide_trusted_ca_certificates()
trusted_cas += trusted
- trusted_cas += config.trusted_certificate_authorities["trusted_cas"]
+ trusted_cas += current_config["trusted_cas"]
store.save_file(self.trusted_cas_file, "\n".join(trusted_cas))
return errors
@@ -5326,8 +5343,10 @@ class ActivateChangesSite(multiprocessing.Process,
ActivateChanges):
def execute_activate_changes(domains):
+ domains = set(domains).union(ConfigDomain.get_always_activate_domain_idents())
+
results = {}
- for domain in domains:
+ for domain in sorted(domains):
domain_class = ConfigDomain.get_class(domain)
warnings = domain_class().activate()
results[domain] = warnings or []