Page MenuHomePhabricator

Create a check/calendar alert for MariaDB TLS certs
Open, NormalPublic

Description

In order to keep in mind the next time the TLS certificates will expire, we should create a check and/or an event on the Ops Calendar.

We should also have a general validity check (in addition to the expiration time).

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 5 2016, 5:59 PM
Marostegui moved this task from Triage to Backlog on the DBA board.Dec 5 2016, 5:59 PM
jcrespo renamed this task from Create a check/calendar alert for TLS certs to Create a check/calendar alert for MariaDB TLS certs.Dec 7 2016, 9:25 AM
jcrespo added projects: Operations, observability.
jcrespo added subscribers: jcrespo, faidon.
jcrespo updated the task description. (Show Details)Dec 7 2016, 9:27 AM
Dzahn added a subscriber: Dzahn.Dec 17 2016, 2:31 AM
Dzahn added a comment.Jan 19 2017, 4:02 PM

Hi, i can take a shot at this. Did it for other certs before. where are the certs located please. I looked in files/ssl/ in puppet repo. Where do they get installed to on the actual server file system?

Marostegui added a comment.EditedJan 19 2017, 4:09 PM

Hey @Dzahn help is welcomed!!
They get installed here:

/etc/mysql/ssl

Thanks a lot!

@Dzahn, ideally, the check should be done connecting to the servers. The files could be there, but not loaded into memory after a restart, and files are not loaded automatically, and restarts are rare. Otherwise, no problem will be detected almost never. This is a different problem than, let's say, apache, where a simple reload (probably puppetized) loads the new certs.

@jcrespo is correct, files on disk aren't the right way to monitor this.

check_ssl should work for this use case, has been explicitly been made to work with non-HTTP endpoints.

MySQL, when compiled with openssl support, provides very easy way to check the time:

| Ssl_server_not_after           | Jun 29 21:52:32 2020 GMT
| Ssl_server_not_before          | Jun 30 21:52:32 2015 GMT

It also provides a lot of information about allowed ciphers and other options. This may be worse than getting the certificate itself and doing it on the client side, but much more reliable than checking the files (e.g. it will catch servers that by mistake were booted without enabling TLS).

This could be a fast, quick first version of the script if check_ssl wouldn't work (I have not checked it yet). It will also help understand pending tls deploy.

Ottomata assigned this task to Dzahn.Mar 6 2017, 7:11 PM
Dzahn removed Dzahn as the assignee of this task.Mar 6 2017, 7:41 PM
Ottomata triaged this task as Normal priority.Mar 6 2017, 7:44 PM

I have created the foundations for this: https://phabricator.wikimedia.org/P5395#29087

This comment was removed by Marostegui.