More certificate regeneration issues

svn path=/rpkid/rootd.py; revision=2272

3 files changed, 8 insertions, 4 deletions

diff --git a/rpkid/rootd.py b/rpkid/rootd.py
index cccf4805..61580956 100755
--- a/rpkid/rootd.py
+++ b/rpkid/rootd.py
@@ -66,11 +66,12 @@ def set_subject_pkcs10(pkcs10):
   f.close()
 
 def issue_subject_cert_maybe():
+  now = rpki.sundial.now()
   subject_cert = get_subject_cert()
   if subject_cert is not None:
-    if not subject_cert.expired():
+    if subject_cert.getNotAfter() > now + rpki_subject_regen:
       return subject_cert
-    rpki.log.debug("Subject certificate has expired")
+    rpki.log.debug("Subject certificate has reached expiration threshold, regenerating")
   pkcs10 = get_subject_pkcs10()
   if pkcs10 is None:
     rpki.log.debug("No saved PKCS #10 request")
@@ -80,7 +81,6 @@ def issue_subject_cert_maybe():
   req_key = pkcs10.getPublicKey()
   req_sia = pkcs10.get_SIA()
   crldp = rpki_base_uri + rpki_root_crl
-  now = rpki.sundial.now()
   subject_cert = rpki_root_cert.issue(
     keypair     = rpki_root_key,
     subject_key = req_key,
@@ -245,6 +245,7 @@ rpki_subject_cert       = cfg.get("rpki-subject-cert",  "Subroot.cer")
 rpki_subject_pkcs10     = cfg.get("rpki-subject-pkcs10", "Subroot.pkcs10")
 
 rpki_subject_lifetime   = rpki.sundial.timedelta.parse(cfg.get("rpki-subject-lifetime", "30d"))
+rpki_subject_regen      = rpki.sundial.timedelta.parse(cfg.get("rpki-subject-regen", rpki_subject_lifetime.convert_to_seconds() / 2))
 
 rpki.https.server(server_key   = rootd_bpki_key,
                   server_cert  = rootd_bpki_cert,
diff --git a/rpkid/rpki/rpki_engine.py b/rpkid/rpki/rpki_engine.py
index 1185f4ce..a49121c1 100644
--- a/rpkid/rpki/rpki_engine.py
+++ b/rpkid/rpki/rpki_engine.py
@@ -633,6 +633,9 @@ class ca_detail_obj(rpki.sql.sql_persistant):
 
     route_origins = [r for r in self.route_origins() if r.cert is not None and r.roa is not None]
 
+    if self.latest_manifest_cert is None or self.latest_manifest_cert.getNotAfter() < nextUpdate:
+      self.generate_manifest_cert(ca)
+
     certs = [(c.uri_tail(), c.cert) for c in self.child_certs()] + \
             [(r.roa_uri_tail(), r.roa) for r in route_origins] + \
             [(r.ee_uri_tail(), r.cert) for r in route_origins] + \
diff --git a/rpkid/testbed.5.yaml b/rpkid/testbed.5.yaml
index 7c06ede2..bb2a20f5 100644
--- a/rpkid/testbed.5.yaml
+++ b/rpkid/testbed.5.yaml
@@ -19,7 +19,7 @@ rootd:
 name:           RIR
 crl_interval:   1m30s
 regen_margin:   2m
-valid_for:      2m30s
+valid_for:      1h
 kids:
   - name: R0
     kids: