Adding CRL expiry checking into the CA health check. #972
Conversation
…'main' ECA-12673: Fixing display of available publisher in multi group publisher Closes ECA-12673 See merge request ejbca/ejbca!1761
ECA-12667: Added Systemtests for the init command password update Closes ECA-12667 See merge request ejbca/ejbca!1759
# Conflicts: # .classpath
verify command was missing the dependency.
Remove dom4j library. Closes EJBCAINTER-816 See merge request ejbca/ejbca!1548
ECA-12639: Fix environment variable expansion for ConfigDump import Closes ECA-12639 See merge request ejbca/ejbca!1744
The flags for DNSSEC validation and DNAME lookups in the CAA CLI are inverted Closes ECA-12675 See merge request ejbca/ejbca!1765
Ref: ECA-12676
…gdump-import-ca-with-initialize' into 'main' ECA-12487: fix KeyPairInfo NPE when initializing imported CA Closes ECA-12487 See merge request ejbca/ejbca!1762
Resolve ECA-12524 "Msae ldap connection through ra" Closes ECA-12524 See merge request ejbca/ejbca!1674
Fix: adapt drop index query for postgresql Closes ECA-12323 See merge request ejbca/ejbca!1507
EJBCAINTER-1089 fix swagger-ui Closes EJBCAINTER-1089 See merge request ejbca/ejbca!1751
ECA-12674: Fix verify command Closes ECA-12674 See merge request ejbca/ejbca!1764
…main' Resolve EJBCAINTER-1004 "Cannot use plugins with java 17" Closes EJBCAINTER-1004 See merge request ejbca/ejbca!1711
ECA-12510: helm chart https only and added notes.txt Closes ECA-12510 See merge request ejbca/ejbca!1755
ECA-12675: Add tests for --nodnssec and -nodname for caacli See merge request ejbca/ejbca!1767
fix: deprecate debianfingerprint format Closes ECA-12676 See merge request ejbca/ejbca!1768
EJBCAINTER-1103: fix caa cli unit tests Closes EJBCAINTER-1103 See merge request ejbca/ejbca!1769
…11947-Jakarta10' Resolve EJBCAINTER-1000 "Fix/fb configdump import" See merge request ejbca/ejbca!1682
…oudshm-v5-hsm' into 'main' ECA-12626 Upgrade p11ng to prevent CKO_DATA deletion Closes ECA-12626 See merge request ejbca/ejbca!1772
Resolve ECA-11947 "Eb jakarta10" Closes ECA-11947 and EJBCAINTER-1000 See merge request ejbca/ejbca!1773
Added the OpenSSF Badge back to the README. https://www.bestpractices.dev/en/projects/9419
The link to the CONTRIBUTING Guidelines was not working.
Added OpenSSF Badge in README.md
Remove duplicate name field
…-fixes/9.1.1 L10n: Admin GUI English message fixes (OCSP Responders)
…full-update/9.1.1 L10n: Admin GUI French update (based on 9.1.1) Fully translated
…l-update/9.1.1 L10n: RA GUI French update (based on 9.1.1) Fully translated
…lsender Log recipients for MailSender
…-algorithm/9.0.0' onto 'main' Noticket: Improve GUI messages for signing algorithm Noticket: Improve GUI messages for signing algorithm (red color) Noticket: Improve GUI messages for signing algorithm (the best)
…-algorithm/9.0.0' into improve/gui-messages-for-signing-algorithm/9.0.0
…or-signing-algorithm/9.0.0 Improve: GUI messages for signing algorithm in CA creation form
…is not used to "uniquely identify a key" as stated in RFC 4210 5.1.1. Contributed under SPDX "LGPL-2.1-or-later".
…eq-for-pbmac1 Make PKIMessage.PKIHeader.senderKID optional for PBE/PBMAC1
…is not used to "uniquely identify a key" as stated in RFC 4210 5.1.1. Contributed under SPDX "LGPL-2.1-or-later".
…eq-for-pbmac1-part2 Make PKIMessage.PKIHeader.senderKID optional for PBE/PBMAC1 since it …
|
It's quite easy to check CRL freshness from the CRL distribution point, with the added benefit that it verifies that the CDP also works. This feature slightly contradics the purpose of healthcheck as stated in the first paragraph i the doc. Since CRLs are cluster wide, it would not be something you use to monitor a specific node in a cluster. Therefore I am hesitant to this as I see it as feature creep, even though it looks nice in principle. I.e. I don't want to duplicate functionality or making the healthcheckservlet into a generic query API. PS: I would implement it parameterized in healthcheckservlet, default not checked, since many CAs don't issue CRLs at all and don't care about CRL expiration. |
|
Agreed that CDPs are also worth checking, but having extra checking points can help with problem diagnosis. The other thought here would be to use the CA settings to identify if a CRL should have been issued, in order to give an early warning of a problem rather then simply detecting CRL expiry. Good point that it should be configurable. I can include that. |
checks now anabled via URL.
|
Added additional checks to ensure the CRL was generated when expected (with a 10 minute grace to allow for the service to start and finish). The CRL tests are enabled with a parameter on the health check URL. |
15 participants
Describe your changes
The heath check for the CAs can be improved by checking the CRL for expiry, but also checking if the CRL should have been generated based upon the CA settings of 'CRL Issue Interval' or 'CRL Overlap Time'.
The CRL test is optional. Enable it via the health check URL with the parameter "checkCrl=true". For example:
https://<IP>/ejbca/publicweb/healthcheck/ejbcahealth?checkCrl=trueHow has this been tested?
Tested manually.
Checklist before requesting a review
See also Contributing Guidelines.