diff options
author | Christian Breunig <christian@breunig.cc> | 2024-01-07 11:36:09 +0100 |
---|---|---|
committer | Christian Breunig <christian@breunig.cc> | 2024-01-08 21:12:57 +0100 |
commit | 4dfb14d509b962a437733406df225a55b4daf694 (patch) | |
tree | d55e45b949979997baca4ed22d62fea515302afc /src/op_mode/vpn_ike_sa.py | |
parent | 1b85e7a9442aa71e2137df44747bd184c4a8b6de (diff) | |
download | vyos-1x-4dfb14d509b962a437733406df225a55b4daf694.tar.gz vyos-1x-4dfb14d509b962a437733406df225a55b4daf694.zip |
pki: T5905: do not use expand_nodes=Diff.ADD|Diff.DELETE) in node_changed()
This fixes a priority inversion when doing initial certificate commits.
* pki subsystem is executed with priority 300
* vti uses priority 381
* ipsec uses priority 901
On commit pki.py will be executed first, detecting a change in dependencies
for vpn_ipsec.py which will be executed second. The VTI interface was yet not
created leading to ConfigError('VTI interface XX for site-to-site peer YY does
not exist!')
The issue is caused by this new line of code in commit b8db1a9d7ba ("pki:
T5886: add support for ACME protocol (LetsEncrypt)") file src/conf_mode/pki.py
line 139 which triggers the dependency update even if a key is newly added.
This commit changes the "detection" based on the cerbot configuration on disk.
(cherry picked from commit 9162631f12ade65392ea2fa53642ea4af39627c7)
Diffstat (limited to 'src/op_mode/vpn_ike_sa.py')
0 files changed, 0 insertions, 0 deletions