It looks to me that the function stream_ssl_set_key_and_cert() in lib/stream-ssl.c is incorrect.
void
stream_ssl_set_key_and_cert(const char *private_key_file,
const char *certificate_file)
{
if (update_ssl_config(&private_key, private_key_file)
&& update_ssl_config(&certificate, certificate_file)) {
stream_ssl_set_certificate_file__(certificate_file);
stream_ssl_set_private_key_file__(private_key_file);
}
}
1. Say, the private key and the corresponding certificate file was replaced on the file system at T0 and T2 respectively.
2. At T1, the ovn-controller code calls update_ssl_config(private_key) and update_ssl_config(certificate_file)
2a: The first call to update_ssl_config(private_key) returns true and the file `mtime` is updated. The second call to update_ssl_config(certificate_file) returns False
3. At T3, the ovn-controller code calls to update_ssl_config(private_key) will return False, and the modified `certifcate file` will never be picked?
Because of 1 - 3 above, the new files will never be picked by the ovn-controller. What we have found is that if I delete both the files and then copy over the private key and certificate files, then it works. This may be because of how we handle the ENOENT case in update_ssl_config()
Regards,
~Girish