Add certs expiry params#456
Conversation
|
@stejskalleos One thing I see already as a problem: the certs are not regenerated if I change the expiry date. |
|
That's quite intentional (see https://docs.ansible.com/projects/ansible/latest/collections/community/crypto/x509_certificate_module.html#parameter-selfsigned_not_after and https://docs.ansible.com/projects/ansible/latest/collections/community/crypto/x509_certificate_module.html#parameter-ownca_not_after) as otherwise the use of relative timestamps would mean that the cert is regenerated on every run. |
|
/packit build |
|
@evgeni should we switch to absolute timestamps then? Maybe it will make more sense to us, so we will be able to prolong the validity without too much hassle? |
|
My gut feeling is that it wouldn't make the UX any better, but I might have not thought is through completely. |
|
I would say that the client and server certs are safe to regenerate, which is not really possible without the option (unless we want to split it into a different feature). |
|
You don't want to regenerate certificates continuously. This will trigger service restarts, which users don't like. And also could have negative effects if people use certificate pinning or similar (based on the actual cert, not the CA, this is clearly "don't do it like this" territory, but often people don't listen to such advice). Also, this is kinda against the whole idea of certificate validity, as it just pushes it out "forever". So we could either use absolute timestamps (which means we'd have to store them), or dynamically set |
|
I was thinking about using absolute timestamps, as I said previously.
What do you think, would it make more sense? This way we enable easy change to the more common certs, and a confirmation flag to CA, that requires more attention from the user. |
|
In your setup, how would a user renew certificates that are bound to expire in (say) two weeks? |
|
If we are talking about server or client certs it would be running But if the user wants to change the CA validity, then it would be something like |
|
Okay. And my alternative (for server/client) would be: Does anyone else have an opinion/preference? |
|
I think a user wants minimal downtime and secure communication. For that we chose to use certificates and they need to be valid. @evgeni already mentioned to avoid service restarts due to certificate changes, but downtime can also be caused by expired certificates. How do we translate that into a process and parameters? You need to create a certificate and determine a validity period (measured in days). Then you also need to determine when to renew. That probably shouldn't be the validity period, otherwise you'll renew it all the time. Let's Encrypt has proposed a process via RFC 9773. While I don't expect us to implement this right now, I like the idea and we can learn from the concepts. A basic implementation to have a minimum validity period.
I like this.
I'm thinking of automating it and avoid introducing new parameters by using a formula. For example, take half the I don't know if this also works for the CA or it needs a more nuanced implementation. |
|
If we will introduce a single |
|
while I can see different validity for CA and non-CA, I see no reason to differentiate between server and client certs. |
|
I think I have addressed everything. How does it look now? |
|
Should we track the renewal in the same PR? I think there's a lot to discuss on that topic and I don't think we should hold up adding the expiration params on that. |
I think the current state is "good enough" to be used as a starting ground for any follow up discussions if needed (or to be ripped out, if we decide to go a different route). |
| help: Lifetime of the generated server and client certificates, in days. | ||
| parameter: --certificate-validity-days | ||
| certificates_renew: | ||
| help: Remove and regenerate server and client certificates for each issued hostname (does not regenerate the CA). |
There was a problem hiding this comment.
| help: Remove and regenerate server and client certificates for each issued hostname (does not regenerate the CA). | |
| help: Regenerate server and client certificates for each issued hostname (does not regenerate the CA). |
There was a problem hiding this comment.
I'd start the last bit as a new sentence. Also questioning if the "for each issued hostname" is really relevant. How about:
| help: Remove and regenerate server and client certificates for each issued hostname (does not regenerate the CA). | |
| help: Force renewal of the server and client certificates. Does not regenerate the CA. |
There was a problem hiding this comment.
As we're adding custom certs in #462 and those would not be renewed by this, I wonder if there is a word we could use to differentiate the certs here. Something like "managed server and client certificates"? Doesn't have to be solved in this PR, but having clear wording which movable parts of the stack are "bring your own" and which are "we do it for you" would be cool.
There was a problem hiding this comment.
The old default CA and server CA naming was really poor, but I struggle to come up with something better. Internal vs External perhaps?
There was a problem hiding this comment.
"Force renewal of the server and client certificates issued by the internal CA."? Sounds cludgy.
There was a problem hiding this comment.
What about Regenrate server and client certificates previously generated by foremanctl. Does not regenerate the CA.
There was a problem hiding this comment.
Technically they are not regenerated (the private and public keys remain the same, only the signature changes), but I don't really mind.
| ownca_privatekey_passphrase: "{{ certificates_ca_password }}" | ||
| ownca_not_after: "+7300d" | ||
| ownca_not_after: "+{{ certificates_validity_days }}d" | ||
| force: "{{ certificates_renew | bool }}" |
There was a problem hiding this comment.
IMHO here we see the real value of using community.crypto. With our hand crafted openssl statements this would have been a pain.
ShimShtein
force-pushed
the
add_certs_expiry_params
branch
from
ab5155b to
ab2ec71
Compare
| certificates_cnames: [] | ||
| certificates_algorithm_type: RSA | ||
| certificates_algorithm_size: 4096 | ||
| # Validity periods in days (used as +Nd for community.crypto not_after). |
There was a problem hiding this comment.
A bit nitpicky here -- the variable name tells me this information already. And I do not understand the part in parenthesis to feel like it adds value.
ehelms
left a comment
ehelms
left a comment
There was a problem hiding this comment.
This is missing documentation updates and tests at least for the renew workflow.
pr-processor
Bot
added
Waiting on contributor
Needs re-review
and removed
Waiting on contributor
labels
|
Updated the documentation, but couldn't understand how to properly add a test that will rerun the installer. |
| variables: | ||
| certificates_ca_validity_days: | ||
| help: Lifetime of the generated CA certificate, in days. | ||
| parameter: --certificate-ca-validity-days | ||
| certificates_validity_days: | ||
| help: Lifetime of the generated server and client certificates, in days. | ||
| parameter: --certificate-validity-days | ||
| certificates_renew: | ||
| help: Regenrate server and client certificates previously generated by foremanctl. Does not regenerate the CA. | ||
| parameter: --certificate-renew |
There was a problem hiding this comment.
If I set the expiration period for both the client and server certificates to 5 days each, my question is whether the customer will receive a notification before the certificates expire, as I do not see that happening here.
My second point is that --certificate-renew does not renew the CA certificate. If I set the CA certificate validity to 5 days, how will the CA certificate be renewed?
Also, you mentioned that the certificate is considered to have a lifetime. What exactly does that mean if I explicitly set its validity period to 5 days?
There was a problem hiding this comment.
whether the customer will receive a notification before the certificates expire, as I do not see that happening here.
Is it something that we previously set up?
My second point is that --certificate-renew does not renew the CA certificate. If I set the CA certificate validity to 5 days, how will the CA certificate be renewed?
We have discussed it previously: CA renewal is a process and I want to treat it in a separate story.
Also, you mentioned that the certificate is considered to have a lifetime. What exactly does that mean if I explicitly set its validity period to 5 days?
I may be missing something, but if you set validity period to 5 days, it means that the lifetime of the certificate would be 5 days from the run of the module.
There was a problem hiding this comment.
whether the customer will receive a notification before the certificates expire, as I do not see that happening here.
Is it something that we previously set up?
I guess no, i do not see in the old installer.
There was a problem hiding this comment.
If the server and client certificates have expired and I want to renew them, will this work using this option?
foremanctl deploy --certificate-validity-days 365 --certificate-renew or
foremanctl deploy --certificate-renew
I tried renewing the expired server and client certificates, but it does not seem to be supported. Is it required to have a valid CA certificate first before renewing the server and client certificates?
There was a problem hiding this comment.
foremanctl deploy --certificate-renew should be sufficient, in my understanding
was the CA expired too?
There was a problem hiding this comment.
You can do both. In the shorter case, I guess you will be getting the default validity (7300 days). Unless @evgeni says that we preserve the validity days parameter by default.
There was a problem hiding this comment.
Is it required to have a valid CA certificate first before renewing the server and client certificates?
Yes, the CA has to be valid. We are signing the server and client certs with the CA.
There was a problem hiding this comment.
foremanctl deploy --certificate-renewshould be sufficient, in my understandingwas the CA expired too?
Yes, the CA certificate has also expired.
There was a problem hiding this comment.
You can do both. In the shorter case, I guess you will be getting the default validity (7300 days). Unless @evgeni says that we preserve the validity days parameter by default.
If you haven't marked it as persist: false, it will of course be preserved (which I think is the correct way to do it)
ShimShtein
force-pushed
the
add_certs_expiry_params
branch
from
8c8f3d7 to
77fee5f
Compare
evgeni
left a comment
evgeni
left a comment
There was a problem hiding this comment.
wording nitpick, but otherwise ACK
ShimShtein
force-pushed
the
add_certs_expiry_params
branch
from
77fee5f to
3484cc6
Compare
|
All the |
amolpati30
left a comment
amolpati30
left a comment
There was a problem hiding this comment.
I have done below testing scenarios here to validate the certificates:
Verify that the default validity period is correctly applied to the certificates.
Explicitly set the certificate validity period, validate it, and then update the server and client certificate validity again using the --certificate-renew parameter, followed by validation.
6 participants
Why are you introducing these changes? (Problem description, related links)
https://redhat.atlassian.net/browse/SAT-43479
We need to expose the certificate validity to the users, so it would be possible to align it with the local security policies.
What are the changes introduced in this pull request?
metadata.obsah.yamlHow to test this pull request
Steps to reproduce:
Checklist