common icon indicating copy to clipboard operation
common copied to clipboard

Published 20 hours ago verified publisher icon prometheus

Check if TLS certificate and key file have been modified

Open LeviHarrison opened this issue 3 years ago • 8 comments

This PR adds the capability to check the hashes of the client certificate and key files to see if they've been modified, as is already done with the CA file.

Fixes https://github.com/prometheus/prometheus/issues/9512

LeviHarrison avatar Nov 24 '21 16:11 LeviHarrison

I think we should only store the cert, you can not change the key without changing the cert.

roidelapluie avatar Nov 25 '21 21:11 roidelapluie

The issue with that would be if someone were to change only the key, yes, the TLS configuration would be invalid, but instead of getting (what I think would be) a private key does not match public key error, they would continue to get whatever error they had before or nothing, because the configuration wouldn't be updated.

LeviHarrison avatar Nov 26 '21 17:11 LeviHarrison

We are also hitting this problem, anything we can help with to move the PR forward?

fpetkovski avatar Mar 01 '22 08:03 fpetkovski

Apologies, I just need to find time to work on this.

LeviHarrison avatar Mar 01 '22 14:03 LeviHarrison

@LeviHarrison do you want me to pick up the work? This bug is becoming a significant issue for us right now.

simonpasquier avatar Apr 12 '22 08:04 simonpasquier

@LeviHarrison do you want me to pick up the work? This bug is becoming a significant issue for us right now.

Yes, I think you can review&rebase

roidelapluie avatar Apr 12 '22 08:04 roidelapluie

Rebased on top of main, I didn't change anything to the PR except for resolving the conflicts. Thanks a lot @LeviHarrison!

simonpasquier avatar Jul 08 '22 12:07 simonpasquier

@roidelapluie PTAL

simonpasquier avatar Jul 21 '22 10:07 simonpasquier

@roidelapluie friendly ping :)

simonpasquier avatar Oct 17 '22 10:10 simonpasquier

Thanks!

roidelapluie avatar Nov 03 '22 11:11 roidelapluie