Page MenuHomePhabricator

Create a check/calendar alert for MariaDB TLS certs
Closed, DeclinedPublic


In order to keep in mind the next time the TLS certificates will expire, we should create a check and/or an event on the Ops Calendar.

We should also have a general validity check (in addition to the expiration time).

Event Timeline

jcrespo renamed this task from Create a check/calendar alert for TLS certs to Create a check/calendar alert for MariaDB TLS certs.Dec 7 2016, 9:25 AM
jcrespo added projects: SRE, observability.
jcrespo added subscribers: jcrespo, faidon.

Hi, i can take a shot at this. Did it for other certs before. where are the certs located please. I looked in files/ssl/ in puppet repo. Where do they get installed to on the actual server file system?

Hey @Dzahn help is welcomed!!
They get installed here:


Thanks a lot!

@Dzahn, ideally, the check should be done connecting to the servers. The files could be there, but not loaded into memory after a restart, and files are not loaded automatically, and restarts are rare. Otherwise, no problem will be detected almost never. This is a different problem than, let's say, apache, where a simple reload (probably puppetized) loads the new certs.

@jcrespo is correct, files on disk aren't the right way to monitor this.

check_ssl should work for this use case, has been explicitly been made to work with non-HTTP endpoints.

MySQL, when compiled with openssl support, provides very easy way to check the time:

| Ssl_server_not_after           | Jun 29 21:52:32 2020 GMT
| Ssl_server_not_before          | Jun 30 21:52:32 2015 GMT

It also provides a lot of information about allowed ciphers and other options. This may be worse than getting the certificate itself and doing it on the client side, but much more reliable than checking the files (e.g. it will catch servers that by mistake were booted without enabling TLS).

This could be a fast, quick first version of the script if check_ssl wouldn't work (I have not checked it yet). It will also help understand pending tls deploy.

Dzahn removed Dzahn as the assignee of this task.Mar 6 2017, 7:41 PM
Ottomata triaged this task as Medium priority.Mar 6 2017, 7:44 PM

I am going to close this, as I don't think we are ever going to work on this