From 3194615abaa504f4ea6d2064e9b6ed87fb17690d Mon Sep 17 00:00:00 2001
From: Moritz Kiemer <moritz.kiemer@checkmk.com>
Date: Thu, 24 Oct 2024 22:37:09 +0200
Subject: [PATCH] cmk.messaging: immediately use new certificates

As soon as the certificates are stored on disk,
clients (that have just been started) might use
them to authenticate against RabbitMQ.
To keep the chance of a missmatch as small as
possible, we make the broker aware of them ASAP.

Change-Id: I46bf92af6fa60b085745a8ad5e05ee6cb9f9649f
---
 cmk/gui/watolib/broker_certificates.py           | 2 ++
 packages/cmk-messaging/cmk/messaging/__init__.py | 2 ++
 packages/cmk-messaging/cmk/messaging/_config.py  | 4 ++++
 3 files changed, 8 insertions(+)

diff --git a/cmk/gui/watolib/broker_certificates.py b/cmk/gui/watolib/broker_certificates.py
index 124634136b8..2b98f78d0de 100644
--- a/cmk/gui/watolib/broker_certificates.py
+++ b/cmk/gui/watolib/broker_certificates.py
@@ -31,6 +31,7 @@
     BrokerCertificates,
     ca_key_file,
     cacert_file,
+    clear_brokers_certs_cache,
     multisite_cert_file,
     site_cert_file,
     site_key_file,
@@ -188,5 +189,6 @@ def execute(self, api_request: BrokerCertificates) -> bool:
         store.save_bytes_to_file(site_key_file(paths.omd_root), api_request.key)
         cacert_file(paths.omd_root).unlink(missing_ok=True)
         ca_key_file(paths.omd_root).unlink(missing_ok=True)
+        clear_brokers_certs_cache()
 
         return True
diff --git a/packages/cmk-messaging/cmk/messaging/__init__.py b/packages/cmk-messaging/cmk/messaging/__init__.py
index 2ec62bfb5f4..f39980a4869 100644
--- a/packages/cmk-messaging/cmk/messaging/__init__.py
+++ b/packages/cmk-messaging/cmk/messaging/__init__.py
@@ -10,6 +10,7 @@
     BrokerCertificates,
     ca_key_file,
     cacert_file,
+    clear_brokers_certs_cache,
     get_local_port,
     multisite_ca_key_file,
     multisite_cacert_file,
@@ -44,6 +45,7 @@
     "ca_key_file",
     "Channel",
     "check_remote_connection",
+    "clear_brokers_certs_cache",
     "CMKConnectionError",
     "Connection",
     "ConnectionFailed",
diff --git a/packages/cmk-messaging/cmk/messaging/_config.py b/packages/cmk-messaging/cmk/messaging/_config.py
index 68bb3d77c5e..50ae7b97397 100644
--- a/packages/cmk-messaging/cmk/messaging/_config.py
+++ b/packages/cmk-messaging/cmk/messaging/_config.py
@@ -157,3 +157,7 @@ def _make_ssl_context(omd_root: Path) -> ssl.SSLContext:
     context.verify_mode = ssl.CERT_REQUIRED
     context.load_cert_chain(site_cert_file(omd_root), site_key_file(omd_root))
     return context
+
+
+def clear_brokers_certs_cache() -> None:
+    subprocess.check_output(["rabbitmqctl", "eval", "ssl:clear_pem_cache()."])