Add san for notary upgrading

if san not exists then remove that cert, prepare will regenerate one

Signed-off-by: DQ <dengq@vmware.com>

make/photon/prepare/utils/cert.py

@@ -56,6 +56,15 @@ def create_ext_file(cn, ext_filename):
     with open(ext_filename, 'w') as f:
         f.write("subjectAltName = DNS.1:{}".format(cn))
 
+def san_existed(cert_path):
+    try:
+        return len(subprocess.check_output(
+            ["/usr/bin/openssl", "x509", "-in",cert_path, "-noout", "-ext", "subjectAltName"]
+            )) > 0
+    except subprocess.CalledProcessError:
+        pass
+    return False
+
 @stat_decorator
 def create_cert(subj, ca_key, ca_cert, key_path="./k.key", cert_path="./cert.crt", extfile='extfile.cnf'):
     cert_dir = os.path.dirname(cert_path)

make/photon/prepare/utils/notary.py

@@ -1,6 +1,6 @@
 import os, shutil, pathlib
 from g import templates_dir, config_dir, root_crt_path, secret_key_dir, secret_dir, DEFAULT_UID, DEFAULT_GID
-from .cert import openssl_installed, create_cert, create_root_cert, get_alias, create_ext_file
+from .cert import openssl_installed, create_cert, create_root_cert, get_alias, create_ext_file, san_existed
 from .jinja import render_jinja
 from .misc import mark_file, prepare_dir
 
@@ -30,20 +30,32 @@ def prepare_env_notary(nginx_config_dir):
     signer_key_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'notary-signer.key'))
     signer_ca_cert_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'notary-signer-ca.crt'))
 
+
+
+    # If openssl installed, using it to check san existed in cert.
+    # Remove cert file if it not contains san
+    if signer_cert_secret_path.exists() and openssl_installed():
+        if not san_existed(signer_cert_secret_path):
+            signer_cert_secret_path.unlink(missing_ok=True)
+    if old_signer_cert_secret_path.exists() and openssl_installed():
+        if not san_existed(old_signer_cert_secret_path):
+            old_signer_cert_secret_path.unlink(missing_ok=True)
+
     # In version 1.8 the secret path changed
-    # If cert, key , ca all are exist in new place don't do anything
+    # If all cert, key and ca files are existed in new location don't do anything
+    # Or we should do the following logic
     if not(
         signer_cert_secret_path.exists() and
         signer_key_secret_path.exists() and
         signer_ca_cert_secret_path.exists()
         ):
-        # If the certs are exist in old place, move it to new place
+        # If the certs are exist in old localtion, move them to new location
         if old_signer_ca_cert_secret_path.exists() and old_signer_cert_secret_path.exists() and old_signer_key_secret_path.exists():
             print("Copying certs for notary signer")
             shutil.copy2(old_signer_ca_cert_secret_path, signer_ca_cert_secret_path)
             shutil.copy2(old_signer_key_secret_path, signer_key_secret_path)
             shutil.copy2(old_signer_cert_secret_path, signer_cert_secret_path)
-        # If certs neither exist in new place nor in the old place, create it and move it to new place
+        # If certs neither existed in new location nor in the old place, create it and move it to new location
         elif openssl_installed():
             try:
                 temp_cert_dir = os.path.join('/tmp', "cert_tmp")