Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace expired certificate? #169

Open
jcpunk opened this issue Sep 20, 2023 · 1 comment
Open

Replace expired certificate? #169

jcpunk opened this issue Sep 20, 2023 · 1 comment

Comments

@jcpunk
Copy link
Contributor

jcpunk commented Sep 20, 2023
edited by kenyon

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 7.24.0
  • Ruby:
  • Distribution: CentOS Stream 9
  • Module version: 2.0.1

How to reproduce (e.g Puppet code you use)

class { '::openssl::certificate':
     x509_certs => { '/path/to/certificate.crt' => {  ensure      => 'present',
                                                      password    => 'j(D$',
                                                      private_key => '/there/is/my/private.key',
                                                      days        => 4,
                                                      force       => false,}
                    }
}

What are you seeing

When the certificate expires, puppet doesn't appear to care

What behaviour did you expect instead

When the certificate expires, a new cert would be generated from the private key

Output log

Any additional information you'd like to impart
@rtib
Copy link
Contributor

rtib commented Oct 19, 2023

The current provider

puppet-openssl/lib/puppet/provider/x509_cert/openssl.rb

Lines 58 to 67 in 1b41c6e

def exists?
if Pathname.new(resource[:path]).exist?
return false if resource[:force] && !self.class.check_private_key(resource)
return false unless self.class.old_cert_is_equal(resource)
true
else
false
end
end
does already check for some attributes, but not for the dates of the certificate.

I did that in an alternative provider like

def exists?
  return false unless Pathname.new(resource[:path]).exist?

  debug 'Certificate found, checking validity.'
  cert = OpenSSL::X509::Certificate.new(File.read(resource[:path]))
  debug "Certificate parsed as #{cert.pretty_inspect}"
  raise 'No validity dates found in certificate.' if cert.not_before.nil? || cert.not_after.nil?

  (cert.not_after - Time.now).to_i > (30 * 24 * 3600) # certificate valid for more than 30 days
end

This will consider the certificate absent if there is less than 30 days left to its not_after date, i.e. the certificate expires within 30 days. If the resource is considered absent, Puppet will call the create method of the provider.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jcpunk @rtib