diff options
| author | Rob Austein <sra@hactrn.net> | 2014-06-25 18:19:23 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2014-06-25 18:19:23 +0000 |
| commit | 5f49da2642b283057db06e0aff1e8635f80dd1f8 (patch) | |
| tree | ee1fd99cef784b550e1677c49b7a43b6848786bb | |
| parent | df573c1d04192191476b778921b83b927da72747 (diff) | |
Don't regenerate EE certificates for validity expiration when the
expiration date hasn't changed and we'd just be doing the same thing
again on the next cron cycle. See #704.
svn path=/trunk/; revision=5873
| -rw-r--r-- | rpki/rpkid.py | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/rpki/rpkid.py b/rpki/rpkid.py index 5e7d2a79..36ee2ea9 100644 --- a/rpki/rpkid.py +++ b/rpki/rpkid.py @@ -1262,7 +1262,9 @@ class ca_detail_obj(rpki.sql.sql_persistent): if nextUpdate is None: nextUpdate = now + crl_interval - if self.latest_manifest_cert is None or self.latest_manifest_cert.getNotAfter() < nextUpdate: + if (self.latest_manifest_cert is None or + (self.latest_manifest_cert.getNotAfter() < nextUpdate and + self.latest_manifest_cert.getNotAfter() < self.latest_ca_cert.getNotAfter())): logger.debug("Generating EE certificate for %s", uri) self.generate_manifest_cert() logger.debug("Latest CA cert notAfter %s, new %s EE notAfter %s", @@ -1796,12 +1798,16 @@ class roa_obj(rpki.sql.sql_persistent): logger.debug("ca_detail associated with %r not active (state %s), regenerating", self, ca_detail.state) return self.regenerate(publisher = publisher, fast = fast) + now = rpki.sundial.now() regen_time = self.cert.getNotAfter() - rpki.sundial.timedelta(seconds = self.self.regen_margin) - if rpki.sundial.now() > regen_time: + if now > regen_time and self.cert.getNotAfter() < ca_detail.latest_ca_cert.getNotAfter(): logger.debug("%r past threshold %s, regenerating", self, regen_time) return self.regenerate(publisher = publisher, fast = fast) + if now > regen_time: + logger.warning("%r is past threshold %s but so is issuer %r, can't regenerate", self, regen_time, ca_detail) + ca_resources = ca_detail.latest_ca_cert.get_3779resources() ee_resources = self.cert.get_3779resources() @@ -2047,12 +2053,16 @@ class ghostbuster_obj(rpki.sql.sql_persistent): logger.debug("Ghostbuster record doesn't exist, generating") return self.generate(publisher = publisher, fast = fast) + now = rpki.sundial.now() regen_time = self.cert.getNotAfter() - rpki.sundial.timedelta(seconds = self.self.regen_margin) - if rpki.sundial.now() > regen_time: + if now > regen_time and self.cert.getNotAfter() < self.ca_detail.latest_ca_cert.getNotAfter(): logger.debug("%r past threshold %s, regenerating", self, regen_time) return self.regenerate(publisher = publisher, fast = fast) + if now > regen_time: + logger.warning("%r is past threshold %s but so is issuer %r, can't regenerate", self, regen_time, self.ca_detail) + if self.cert.get_AIA()[0] != self.ca_detail.ca_cert_uri: logger.debug("%r AIA changed, regenerating", self) return self.regenerate(publisher = publisher, fast = fast) |