Check for console-cert expire date

[bastelfreak]

Use Case

PE manages a certificate for the console. This can be the same as the agent cert,but it doesn't has to be. I think it would be really helpful to check if the used cert expires in < 90 days.

Describe the Solution You Would Like

As done in S0015, we could read the cert:

puppetlabs-pe_status_check/lib/facter/pe_status_check.rb

Lines 138 to 146 in 7b99552

	chunk(:S0015) do
	# Is the hostcert expiring within 90 days
	next unless File.exist?(Puppet.settings['hostcert'])
	raw_hostcert = File.read(Puppet.settings['hostcert'])
	certificate = OpenSSL::X509::Certificate.new raw_hostcert
	result = certificate.not_after - Time.now
	{ S0015: result > 7_776_000 }
	end

The default path is /opt/puppetlabs/server/data/console-services/certs/console-cert.cert.pem or /opt/puppetlabs/server/data/console-services/certs/${certname}.cert.pem. But the path is configureable in puppet_enterprise::profile::console::browser_ssl_cert. I don't think we can access the parameter easily from a fact. We could read it from /etc/puppetlabs/console-services/conf.d/console.conf.

A different approach would be to make an HTTP request to the console and get the cert.

Describe Alternatives You've Considered

A customer could use their internal monitoring tool for this, but since pe_status_check already validates certificates and people might get the impression that it covers every important part, I think it makes sense to integrate this into pe_status_check.

[MartyEwings]

i agree SUP-3714 has been created for this

[bastelfreak]

any chance to make that a public issue or allow SDPs to view it? I give this a try and implement it, but first we need to decide how it should be done.

[MartyEwings]

the support project is internal only, as it didn't used to be used for these sorts of concepts, i cant seem to override it for just one ticket.

As for how it should be done, this module operates on the fringe of what we should do with facter, and as such we generally have to be careful, considerations need to be made when updating the fact,

such as:

impact to memory (grepping or loading text files is something we only do if we really really have to)
impact to facter resolution time.

The conf file may be the only source of this data so we MAY have to use that, but ill poke around and see if its exposed somewhere else

[MartyEwings]

we could always check the default location, and only grep the config if its not present...

[MartyEwings]

this would work:

openssl s_client -servername localhost -connect localhost:443 2>/dev/null | openssl x509 -noout -dates

Except on FIPS we cant use the openssl client

[MartyEwings]

im thinkning openssl s_client -servername localhost -connect localhost:443 2>/dev/null | openssl x509 -noout -dates would be the way to go , with and exclusion for FIPs, it actually measures the running cert and not the expected cert on filesystem