summaryrefslogtreecommitdiff
path: root/src/conf_mode/vpn_ipsec.py
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-01-07 11:36:09 +0100
committerChristian Breunig <christian@breunig.cc>2024-01-08 21:12:57 +0100
commit4dfb14d509b962a437733406df225a55b4daf694 (patch)
treed55e45b949979997baca4ed22d62fea515302afc /src/conf_mode/vpn_ipsec.py
parent1b85e7a9442aa71e2137df44747bd184c4a8b6de (diff)
downloadvyos-1x-4dfb14d509b962a437733406df225a55b4daf694.tar.gz
vyos-1x-4dfb14d509b962a437733406df225a55b4daf694.zip
pki: T5905: do not use expand_nodes=Diff.ADD|Diff.DELETE) in node_changed()
This fixes a priority inversion when doing initial certificate commits. * pki subsystem is executed with priority 300 * vti uses priority 381 * ipsec uses priority 901 On commit pki.py will be executed first, detecting a change in dependencies for vpn_ipsec.py which will be executed second. The VTI interface was yet not created leading to ConfigError('VTI interface XX for site-to-site peer YY does not exist!') The issue is caused by this new line of code in commit b8db1a9d7ba ("pki: T5886: add support for ACME protocol (LetsEncrypt)") file src/conf_mode/pki.py line 139 which triggers the dependency update even if a key is newly added. This commit changes the "detection" based on the cerbot configuration on disk. (cherry picked from commit 9162631f12ade65392ea2fa53642ea4af39627c7)
Diffstat (limited to 'src/conf_mode/vpn_ipsec.py')
0 files changed, 0 insertions, 0 deletions