mgr/cephadm: fixing generate_cert to pick the right root subject

This cherry-picked change:
   Ensures upgrade safety by reusing the subject from the already-loaded root
   certificate instead of hardcoding a new one.
   (commit 918d0ac9ca6ef1b6e4308c3035e2dd7dd7afb4a9)

Signed-off-by: Redouane Kachach <rkachach@ibm.com>
Signed-off-by: Kushal Deb <Kushal.Deb@ibm.com>

diff --git a/src/pybind/mgr/cephadm/ssl_cert_utils.py b/src/pybind/mgr/cephadm/ssl_cert_utils.py
index 516f043f032efae7f1015eabd985caa9dba24021..558d850674f01f4dd5098b4170250f9794d414c2 100644 (file)
--- a/src/pybind/mgr/cephadm/ssl_cert_utils.py
+++ b/src/pybind/mgr/cephadm/ssl_cert_utils.py
@@ -197,11 +197,8 @@ class SSLCerts:
         public_key = private_key.public_key()
 
         builder = x509.CertificateBuilder()
-        root_ca_name = x509.Name([
-            x509.NameAttribute(NameOID.COMMON_NAME, f'cephadm-root-{self.cluster_fsid}'),
-        ])
         builder = builder.subject_name(x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, addrs[0]), ]))
-        builder = builder.issuer_name(root_ca_name)
+        builder = builder.issuer_name(self.get_root_issuer_name())
         builder = builder.not_valid_before(datetime.now())
         builder = builder.not_valid_after(datetime.now() + timedelta(days=self.certificate_duration_days))
         builder = builder.serial_number(x509.random_serial_number())
@@ -298,6 +295,11 @@ class SSLCerts:
         except AttributeError:
             return ''
 
+    def get_root_issuer_name(self) -> x509.Name:
+        if not self.root_cert:
+            raise SSLConfigException("Root certificate not initialized.")
+        return self.root_cert.subject
+
     def get_root_key(self) -> str:
         try:
             return self.root_key.private_bytes(