icinga-powershell-framework icon indicating copy to clipboard operation
icinga-powershell-framework copied to clipboard

Published 20 hours ago verified publisher icon Icinga

Invoke-IcingaCheckCertificate shows too much certificates

Open BT-Danny opened this issue 2 years ago • 3 comments

Expected Behavior

Service should show one Certificate

Current Behavior

Service shows the new AND the old Certificate despite the fact, the old one was deleted Problem is, that the current and the old one shares the same name. image

I did not find the old certificate in any Cert Store, so I can't figure out where the Agent can still find it.

Possible Solution

Is it maybe possible to exclude Certificates by their expiration date (maybe a feature request for future updates?)

Steps to Reproduce (for bugs)

Context

Since the old certificate seems to be found, the service will remain critical. We don't want to filter the Certs by Fingerprints, because we have automations to renew the certs

Your Environment

Our Powershell Framework is on version 1.9 right now

  • Operating System and version (Get-IcingaWindowsInformation Win32_OperatingSystem | Select-Object Version, BuildNumber, Caption): image

BT-Danny avatar Nov 24 '22 07:11 BT-Danny

Thank you for the issue. Are you sure, the old certificate was deleted from the machine? If you delete a certificate from the cert store, it is no longer there and cannot be fetched by the plugin. If however the old and new one remains, both will be validated and executed.

I will try to figure something out in this case, to properly detect the scope of the cert maybe, add both of them but ignore the critical in case a newer one was found. Would that be an option?

LordHepipud avatar Dec 02 '22 09:12 LordHepipud

That sounds like a great Idea. A possibility to exclude or filter out would be perfect. Our customer had a look, as well as I researched for told Certificate. I can't tell how they deleted the old Certificate, but it isn't in the Cert store anymore. Also the systems are HA built and in two cloud instances. The old certficiate doesn't appear in the Google instance, just in the Azure instance, although they have been both changed the same way. I have no clue why the framework still shows the old one as expired

BT-Danny avatar Dec 05 '22 07:12 BT-Danny

Just a heads up, since this feature would be greatly appreciated 🚀 I think a check of the scope would be sufficient, since the properties of the certificates would be identical in the case of an old one still remaining. Only considerating the newest certificate and ignoring the old one if the scope is identical would be perfect.

Edit The scope check should imo not include the name of the certificate though, in case the name changed on cert exchange.

BTMichel avatar Jul 05 '23 12:07 BTMichel