To prevent issues due to certificate expiration, provide alert banner in UI to notify admin that certificates are set to expire in N days. Especially if certificates are not tracked by certmonger.
@dsirrine What certs it should check? Only the system certs of replica the user is logged to?
I'd say the critical subsystem certs. So the CA Signing, http SSL certs, 389-ds certs.
For example, in my IPA environment:
location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' location='/etc/httpd/alias',nickname='ipaCert' location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca' location='/etc/dirsrv/slapd-DOMAIN-COM',nickname='Server-Cert' location='/etc/httpd/alias',nickname='Server-Cert'
Each of these should be tracked and auto-renew. Still worth notifying the users that they may expire. I'm happy to do the work, all I need as a "getting started" guide for modifying the UI.
~ Edit ~
Would be a 'nice to have' if a user logs in that has a certificate tracked by certmonger with a known expiry date to notify them as well. But not critical IMHO
We should get the pending expiration status of the 6 default PKI Dogtag system certificates relayed somewhere in the web UI, (CA signing, Audit signing, OCSP signing, subsystem cert, SSL server cert, and admin cert) , the banner could be a good way. Or a general status area may be under the tab "IPA Server", either separate or within the "Topology" sub tab? or elsewhere? Other ideas from anybody? Thanks for the suggestion! M.
and may be with a suggested certmonger command for list and eventual resubmit or other if status is not "monitoring"?
A quick test, it looks like we could take a broad cut at this using the API
Request: { "id": 0, "method": "cert_find/1", "params": [ [], { "validnotafter_from": "2017-04-01", "version": "2.212" } ] }
And display a banner if return count > 0
And the purpose of this enhancement is to get info about situation, where certmonger fails to renew the cert?
Wrt, Web UI getting started guide. We don't have any specific. there is uncoplete doc generated from source + few tutorials. This one might be helpful (it is otherwise part of ipa code): https://pvoborni.fedorapeople.org/doc/#!/guide/Debugging
Metadata Update from @pvoborni: - Custom field rhbz adjusted to todo - Issue set to the milestone: FreeIPA 4.7
But still it would be better to investigate and fix root causes of certs not being renewed automatically.
Metadata Update from @pvoborni: - Issue tagged with: rfe, webui
I think that in some way we could use the new tool we're building [1] [2] to have these notifications and alerts. However, I don't know how we can integrate it to the web UI.
[1] https://www.redhat.com/archives/freeipa-devel/2017-April/msg00132.html [2] https://github.com/felipevolpone/freeipa-health-checker
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
Metadata Update from @rcritten: - Issue tagged with: healthcheck
Closed as duplicate of 6855
Metadata Update from @rcritten: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.