[ifw-api] PS daemon: pick up new certificate once changed by Icinga

[Al2Klimov]

Current Behavior

(At least if you're not using tickets to sign Icinga cluster nodes,) Icinga will run with a self signed certificate until I do icinga2 ca sign .... Your PS daemon (having no choice) picks up the initial self signed certificate and runs with that until restarted. But its API clients such as

• Built-in check command: ifw-api icinga2#9062

Will require an actually Icinga CA signed certificate and complain/fail.

Expected Behavior

The PS daemon stat(2)s the certificate file either periodically or on hint from ReadDirectoryChangesW(). Changed? Reload!

Possible Solution

At least consider a KB entry in the upcoming version.

Steps to Reproduce (for bugs)

1. Install IfW as usual
2. Use no ticket
3. Never restart the PS daemon
4. Query IfW API

Context

• Built-in check command: ifw-api icinga2#9062
• CC @julianbrost

[LordHepipud]

Thank you for the issue. If you do not sign the certificate, the Icinga for Windows installer should print a warning during the activation of the REST-Api, that the certificate has not been signed yet.

Can you confirm this?

[Al2Klimov]

Not sure how this matters here. I know that I've signed the certificate not right now, but (say) one minute later. Icinga auto-picks up that signed cert, but AKAIK PSd doesn’t.