From 7f36ffc2591fa0922d20fdc92209726382168338 Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Tue, 10 Jul 2018 14:32:25 +0200 Subject: Re-register instance when certificate is revoked --- .../admin/maintenance/identity/AthenzCredentialsMaintainer.java | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'node-admin') diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java index ff85c49bb13..dcc2c50e602 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java @@ -7,6 +7,7 @@ import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient; import com.yahoo.vespa.athenz.client.zts.InstanceIdentity; import com.yahoo.vespa.athenz.client.zts.ZtsClient; +import com.yahoo.vespa.athenz.client.zts.ZtsClientException; import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper; import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocumentClient; @@ -201,6 +202,12 @@ public class AthenzCredentialsMaintainer { csr); writePrivateKeyAndCertificate(keyPair.getPrivate(), instanceIdentity.certificate()); log.info("Instance successfully refreshed and credentials written to file"); + } catch (ZtsClientException e) { + // TODO Find out why certificate was revoked and hopefully remove this workaround + if (e.getErrorCode() == 403 && e.getDescription().startsWith("Certificate revoked")) { + log.error("Certificate cannot be refreshed as it is revoked by ZTS - re-registering the instance now", e); + registerIdentity(); + } } catch (IOException e) { throw new UncheckedIOException(e); } -- cgit v1.2.3