Re: how to test pki-realm script? Was [Re: owncloud and letsencrypt]
On Tue, 2020-08-25 at 16:54 +0200, Damiano Venturin wrote:
Otherwise another acceptable solution would be to receive a
notification
the first time that the scripts fails as there should still be some days
left before the certificates expire (eventually the cron job could be
daily to narrow down the time frame). I need to check Letsencrypt doc to
see how early they accept renewal.
Is there in place any notification mechanism or shall I look into the
script and eventually fire an email?
Probably not what you wanted to hear, but I'm happily using the DebOps Icinga
roles for this ;)
I'm rigorously monitoring all services including all TLS certificates that are
in use. Icinga has check_ssl_cert for this. I use it to monitor:
- Certificate chain validity
- Certificate expiration
- OCSP status
- Common name of certificate issuer (in case the certificate gets reissued by
the wrong CA)
- DANE validity
- All of the above with StartTLS-enabled services as well
Icinga, as well as the Icinga web interface, has a steep initial learning
curve. For me it was absolutely worthwhile.
At work we're also monitoring certificate transparency logs (basically
everything that you can find in https://crt.sh/), but that's more for security
and audit reasons and not availability per se.
But yeah, it would be nice to have some kind of failure notification mechanism
in the pki role.
Imre
Attachments:
- signature.asc (application/pgp-signature — 833 bytes)