Allow for expired certificate
The code throws for an expired certificate, which results in the below
behavior:
1. If BMC starts when the time is invalid (e.g. the date is in 1970),
bmcweb will create a default certificate with hostname `testhost`;
2. In later reboots when BMC get a valid time, the bmcweb loads the
certificate as before. But phosphor-certificate-manager will throw on
this certificate. Then there is no DBus object created for this
certificate (`/xyz/openbmc_project/certs/server/https/1`)
3. Due to the missing DBus object:
* We will not be able to replace the certificate, e.g. by below
Redfish URI:
```
/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
```
* When the BMC gets the hostname, bmcweb will generate a new
self-signed certificate with the hostname and replace it, the
replacement fails as well.
This commit adds a config option that allows the expired certificate to
be created on DBus and fixes the above issues and it is enabled by
default.
Signed-off-by: Lei YU <yulei.sh@bytedance.com>
Change-Id: Ib02bd686c9bfeb6401b269af20856824647f54c5
diff --git a/meson_options.txt b/meson_options.txt
index 18190e3..d29c2f9 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -26,3 +26,9 @@
value: 'trust_bundle',
description: 'File name of the authorities list',
)
+
+option('allow-expired',
+ type: 'feature',
+ value: 'enabled',
+ description: 'Allow expired certificates',
+)