Feature #7962
Warn when a certificate approaches the expiration date
| Status: | Accepted | Start date: | 06/16/2011 | |
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | Doh! | |||
| Target version: | 2.7.x | |||
| Affected Puppet version: | Branch: | |||
| Keywords: | ||||
| Votes: | 4 |
Description
It’s especially troublesome if the CA or master certificate expires without any real warning. We should be warning in the logs (possibly reports, too?) if any of the certificates (CA, master, agent) are approaching their expiration date.
History
Updated by Jacob Helwig 11 months ago
First guess at how far out to warn about expiring certificates is 3 months, but I’m definitely open to suggestions.
Also, the target version of 2.6.x is just a suggestion. I haven’t looked at how involved it would be to check this to generate the warning, and am open to pushing it back to 2.7.x, or Telly (though I think we should try pretty hard to get it into 2.6.x).
Updated by James Turnbull 11 months ago
I wonder if it’s worth reporting on agent certs expiring at all?
3 months seems reasonable and 2.6.x seems a reasonable target.
Updated by Jacob Helwig 11 months ago
- Priority changed from Normal to High
I don’t think it can hurt to warn about the agent certs expiring, and seems like a reasonable thing to include in the report sent back to the master. The agent cert expiring isn’t anywhere near the same scale of problem, but it seems like a safety net worth having (even if it doesn’t warn to the same degree or start as far out).
Updated by James Turnbull 11 months ago
Report or log message or both?
Updated by Jacob Helwig 11 months ago
Given that reporting isn’t mandatory, it seems like it would need to be both.
Updated by Nigel Kersten 11 months ago
- Target version changed from 2.6.x to 2.7.x