From bca36e2966c39a033b5fbf223cd234f28aad6bbc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= <tdiot@bunkerity.com>
Date: Wed, 20 Sep 2023 18:18:31 +0200
Subject: [PATCH] Update self-signed job to regenerate the cert if the subject
 or the date has changed

---
 .../core/selfsigned/jobs/self-signed.py       | 24 ++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/src/common/core/selfsigned/jobs/self-signed.py b/src/common/core/selfsigned/jobs/self-signed.py
index 33ce23187..7f2a72de8 100755
--- a/src/common/core/selfsigned/jobs/self-signed.py
+++ b/src/common/core/selfsigned/jobs/self-signed.py
@@ -1,5 +1,8 @@
 #!/usr/bin/python3
 
+from datetime import timedelta
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
 from os import getenv, sep
 from os.path import join
 from pathlib import Path
@@ -52,7 +55,26 @@ def generate_cert(
             == 0
         ):
             logger.info(f"Self-signed certificate already present for {first_server}")
-            return True, 0
+
+            certificate = x509.load_pem_x509_certificate(
+                self_signed_path.joinpath(f"{first_server}.pem").read_bytes(),
+                default_backend(),
+            )
+            if sorted(
+                attribute.rfc4514_string() for attribute in certificate.subject
+            ) != sorted(v for v in subj.split("/") if v):
+                logger.warning(
+                    f"Subject of self-signed certificate for {first_server} is different from the one in the configuration, regenerating ..."
+                )
+            elif (
+                certificate.not_valid_after - certificate.not_valid_before
+                != timedelta(days=int(days))
+            ):
+                logger.warning(
+                    f"Expiration date of self-signed certificate for {first_server} is different from the one in the configuration, regenerating ..."
+                )
+            else:
+                return True, 0
 
     logger.info(f"Generating self-signed certificate for {first_server}")
     if (