Maniphest T120662

Track/alert cassandra certs expiration
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	fgiunchedi
	Dec 7 2015, 3:55 PM

Description

followup from T108953: Cassandra inter-node encryption (TLS) is to track expirations of cassandra CA and certs, rollout involves generating new certs via cassandra-ca-manager and restart cassandra after a puppet run to deploy the updated certs

Details

Subject	Repo	Branch	Lines +/-
cassandra: add ssl monitoring only for ssl-enabled hosts	operations/puppet	production	+1 -2
cassandra: limit SSL cert monitoring to restbase hosts	operations/puppet	production	+7 -4
cassandra: add instance ssl monitoring	operations/puppet	production	+12 -0

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		Dzahn	T114059 ssl expiry tracking in icinga - we don't monitor that many domains
		Resolved		fgiunchedi	T120662 Track/alert cassandra certs expiration

Event Timeline

fgiunchedi created this task.Dec 7 2015, 3:55 PM

fgiunchedi claimed this task.

fgiunchedi raised the priority of this task from to Medium.

fgiunchedi updated the task description. (Show Details)

fgiunchedi added projects: SRE, RESTBase-Cassandra.

fgiunchedi subscribed.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 7 2015, 3:55 PM

fgiunchedi mentioned this in T108953: Cassandra inter-node encryption (TLS).Dec 7 2015, 3:56 PM

Dzahn subscribed.Dec 15 2015, 6:07 PM

Dzahn added a parent task: T114059: ssl expiry tracking in icinga - we don't monitor that many domains.Dec 15 2015, 6:09 PM

We can use the same method as in T116332 here with modules/nagios_common/files/check_commands/check_ssl_certfile that we can install where the cert is (like here and execute via NRPE. It runs "openssl x509 -checkend 324000 -noout -in $1 on the cert file. This is the method for services that use TLS but are not https or ldaps. For these protocols we have other plugins that actually connect to the server instead of just checking the certificate as a file.

another approach would be also to connect to the host directly and use check_ssl, possibly some changes/tweaks are needed too on the options

$ modules/nagios_common/files/check_commands/check_ssl -H localhost  -r cert.crt -p 9999  --nosni
Cannot determine hostname of peer for verification. Disabling default hostname verification for now. Please specify hostname with SSL_verifycn_name and better set SSL_verifycn_scheme too.
Label too long at /usr/share/perl5/IO/Socket/SSL.pm line 1579.

additionally, an x509 cert in PEM format can be extracted from the ca file with keytool -export -alias rootca -file cert.crt -rfc -keystore server.trust

Eevans raised the priority of this task from Medium to High.Jul 28 2016, 3:37 PM

Eevans added a project: Cassandra.

Eevans moved this task from Backlog to Next on the Cassandra board.Aug 3 2016, 3:08 PM

Eevans renamed this task from track/alert cassandra certs expiration to Track/alert cassandra certs expiration.Aug 15 2016, 7:52 PM

Eevans mentioned this in T143044: Renew RESTBase self-signed root certificate authority.Aug 15 2016, 8:09 PM

Change 305633 had a related patch set uploaded (by Filippo Giunchedi):
cassandra: add instance ssl monitoring

https://gerrit.wikimedia.org/r/305633

gerritbot added a project: Patch-For-Review.Aug 19 2016, 10:11 AM

fgiunchedi mentioned this in rOPUP04fb734a7f49: cassandra: add instance ssl monitoring.Aug 19 2016, 10:15 AM

fgiunchedi mentioned this in rOPUP2158c4e13a08: cassandra: add instance ssl monitoring.Aug 19 2016, 10:35 AM

Dzahn mentioned this in rOPUPd842ab78fec5: cassandra: add instance ssl monitoring.Aug 19 2016, 7:37 PM

Change 305633 merged by Dzahn:
cassandra: add instance ssl monitoring

https://gerrit.wikimedia.org/r/305633

It has been added to Icinga and it works fine for restbase* hosts, but the cassandra role is also applied on aqs* and maps* and it does not work for all of them the same way.

examples:

working and OK on restbase1007

https://icinga.wikimedia.org/cgi-bin/icinga/extinfo.cgi?type=2&host=restbase1007&service=cassandra-b+SSL+10.64.0.231%3A7001

working and WARNS correctly about expiry on restbase-test2002

https://icinga.wikimedia.org/cgi-bin/icinga/extinfo.cgi?type=2&host=restbase-test2002&service=cassandra-a+SSL+10.192.16.156%3A7001

failed to connect on aqs1001 or maps2001

https://icinga.wikimedia.org/cgi-bin/icinga/extinfo.cgi?type=2&host=aqs1001&service=cassandra+SSL+10.64.0.123%3A7001

https://icinga.wikimedia.org/cgi-bin/icinga/extinfo.cgi?type=2&host=maps2001&service=cassandra+SSL+10.192.0.144%3A7001

Change 305711 had a related patch set uploaded (by Dzahn):
cassandra: limit SSL cert monitoring to restbase hosts

https://gerrit.wikimedia.org/r/305711

Change 305711 merged by Dzahn:
cassandra: limit SSL cert monitoring to restbase hosts

https://gerrit.wikimedia.org/r/305711

Dzahn mentioned this in rOPUP995b8a6421dc: cassandra: limit SSL cert monitoring to restbase hosts.Aug 19 2016, 8:42 PM

https://icinga.wikimedia.org/cgi-bin/icinga/status.cgi?search_string=cassandra

Mentioned in SAL [2016-08-22T17:48:28Z] <godog> cassandra: replace certs for restbase-test200[123]-[ab] - T120662

Eevans moved this task from Next to In-Progress on the Cassandra board.Aug 24 2016, 4:33 PM

Change 307251 had a related patch set uploaded (by Filippo Giunchedi):
cassandra: add ssl monitoring only for ssl-enabled hosts

https://gerrit.wikimedia.org/r/307251

Change 307251 merged by Dzahn:
cassandra: add ssl monitoring only for ssl-enabled hosts

https://gerrit.wikimedia.org/r/307251

merged and checked on neon. number of checks was 60 before and after / no-op. and yea, that was the better solution that i was looking for instead of my quick fix by hostname. thank you!

guess it's resolved now?

yes! thanks @Dzahn, resolving

Eevans awarded a token.Sep 1 2016, 3:04 PM

ayounsi mentioned this in T251373: Restbase/cassandra SSL certs expiration (2020-06-24).Apr 29 2020, 8:35 AM

elukey mentioned this in T296448: Restbase/Cassandra TLS cert expiration warnings.Nov 25 2021, 7:28 AM