Re-register instance when certificate is revoked

1 files changed, 7 insertions, 0 deletions

diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
index ff85c49bb13..dcc2c50e602 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
@@ -7,6 +7,7 @@ import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient;
 import com.yahoo.vespa.athenz.client.zts.InstanceIdentity;
 import com.yahoo.vespa.athenz.client.zts.ZtsClient;
+import com.yahoo.vespa.athenz.client.zts.ZtsClientException;
 import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
 import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
 import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocumentClient;
@@ -201,6 +202,12 @@ public class AthenzCredentialsMaintainer {
                             csr);
             writePrivateKeyAndCertificate(keyPair.getPrivate(), instanceIdentity.certificate());
             log.info("Instance successfully refreshed and credentials written to file");
+        } catch (ZtsClientException e) {
+            // TODO Find out why certificate was revoked and hopefully remove this workaround
+            if (e.getErrorCode() == 403 && e.getDescription().startsWith("Certificate revoked")) {
+                log.error("Certificate cannot be refreshed as it is revoked by ZTS - re-registering the instance now", e);
+                registerIdentity();
+            }
         } catch (IOException e) {
             throw new UncheckedIOException(e);
         }