icingaweb2-module-x509 icon indicating copy to clipboard operation
icingaweb2-module-x509 copied to clipboard

Published 20 hours ago verified publisher icon Icinga

Manage expired certificates

Open raviks789 opened this issue 3 years ago • 1 comments

The following two parameters are introduced to icingacli x509 scan command to manage targets and certificates:

  1. since-last-scan - used to check when the target was last scanned (stored in column last_scan of table x509_target)

  2. since-last-seen - used to check when the target or certificate was last seen (stored in column last_seen of tables x509_targetandx509_certificate`).

And based on these two parameters the targets and certificates are cleaned up from the database.

ref #90

raviks789 avatar Oct 13 '22 09:10 raviks789

Please describe the PR and its functions that it implements and mark it as ready.

lippserd avatar Oct 21 '22 08:10 lippserd

I don't quite understand why you additionally filter for trusted when cleaning up certificates. When it hasn't been updated for N days and it's not used by neither targets nor other certificates, why shouldn't we be able to remove it even if it's in the truststore?

Anyway, suppose I have an untrusted CA named FOO with last_seen -5 days and a non-CA certificate issued by FOO, i.e. in the certificate table this certificate has FOO in the issuer column. When the CA doesn' t have any references in the chain & chain_link tables, it is just removed, even though there are still certificates referencing that CA as an issuer.

yhabteab avatar Nov 02 '22 13:11 yhabteab

Blocked by

  • https://github.com/Icinga/icingaweb2-module-x509/pull/129
  • https://github.com/Icinga/icingaweb2-module-x509/pull/114

yhabteab avatar Nov 02 '22 15:11 yhabteab

Blocked by

  • https://github.com/Icinga/icingaweb2-module-x509/pull/131

yhabteab avatar Feb 02 '23 11:02 yhabteab

LFTM now! Eric, it's your turn!

yhabteab avatar Feb 15 '23 13:02 yhabteab