Page MenuHomeMiraheze

Create automated Icinga check for validity of all TLS certificates on system
Closed, DeclinedPublic

Description

Outage https://meta.miraheze.org/wiki/Special:IncidentReports/31 was caused by an old, expired root certificate. If we had an Icinga check covering all TLS certificates present on a system, Icinga could have alerted us and SRE would have been able to fix the root certificate before it expired.

Adding another actionable (from the incident report) here: "Write (or install) a command line utility looping over all certificates in a file, openssl x509'ing those certificates and returing the output."

Event Timeline

Paladox triaged this task as Normal priority.Jun 14 2020, 19:51
Southparkfan lowered the priority of this task from Normal to Low.Oct 13 2020, 21:41
John subscribed.

We now regularly update CA certs on each puppet run - putting the burden of management responsibility on the CAs rather than us. Monitoring all CAs on the system would add approximately another 150 SSL checks which seems disproportionate especially for something we neither maintain nor can control.