Skip to content

Report if an expiring certificate is externally signed#366

Merged
rcritten merged 1 commit intofreeipa:masterfrom
rcritten:issue_104
Sep 16, 2025
Merged

Report if an expiring certificate is externally signed#366
rcritten merged 1 commit intofreeipa:masterfrom
rcritten:issue_104

Conversation

@rcritten
Copy link
Collaborator

@rcritten rcritten commented Jul 18, 2025
edited by sourcery-ai bot
Loading

This is intended for externally-signed IPA CA certificates. It should not duplicate user-provided certificats because this check, IPACertmongerExpirationCheck, is based on certmonger tracking and we don't track, by default, user-provided certs.

Fixes: #104

Summary by Sourcery

Enhance the certificate expiration check to load and parse certmonger certificates, detect externally signed certificates, and append a notice that such certificates won’t auto-renew in both warning and error messages; update tests to cover these cases.

New Features:

  • Detect externally signed certificates in the IPACertmongerExpirationCheck and report that they will not auto-renew

Enhancements:

  • Load the certificate blob from certmonger requests and invoke is_ipa_issued_cert to determine IPA issuance before formatting expiration messages

Tests:

  • Extend FakeIPACertificate and mock_certmonger to include a cert blob and add tests for external vs. IPA-issued expiration warnings

sourcery-ai[bot]
sourcery-ai bot reviewed Jul 18, 2025
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @rcritten - I've reviewed your changes and they look great!

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

frasertweedale
frasertweedale requested changes Sep 12, 2025
View reviewed changes
Copy link
Collaborator

@frasertweedale frasertweedale left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor grammatical fix needed. One non-blocking nit.

Other questions:

  • IPACertfileExpirationCheck also emits a certmonger should renew this message. Does it also need to be updated to avoid providing conflicting info?

  • Should IPACAChainExpirationCheck also get this treatment? Noting that the RFE is "Report if caSigningCert is tracked but externally signed"

@rcritten
Report if an expiring certificate is externally signed
6661eb1 
This is intended for externally-signed IPA CA certificates.
It should not duplicate user-provided certificats because this
check, IPACertmongerExpirationCheck, is based on certmonger
tracking and we don't track, by default, user-provided certs.

Fixes: freeipa#104

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
frasertweedale
frasertweedale approved these changes Sep 16, 2025
View reviewed changes
Copy link
Collaborator

@frasertweedale frasertweedale left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK. Still a couple comments above about whether those other checks need similar treatment. But this change itself LGTM.

@rcritten
Copy link
Collaborator Author

rcritten commented Sep 16, 2025

One minor grammatical fix needed. One non-blocking nit.

Other questions:

* `IPACertfileExpirationCheck` also emits a _certmonger should renew this_ message.  Does it also need to be updated to avoid providing conflicting info?

By default, certmonger only tracks IPA issued certificates so this should be ok. Theoretically a user could force tracking on a user-provided cert so I guess this is something we could add later. I just have no idea how prevalent this is.

* Should `IPACAChainExpirationCheck` also get this treatment?  Noting that the RFE is _"Report if caSigningCert is tracked but externally signed"_

In this case I think the current warnings are ok. These are not certmonger-tracked certs but those loaded by ipa-cacert-manage. I think that the current warning is hint enough to take a look at the CA for an event that will happen soon.

Unfortunately most people seem to run healthcheck after the fact.

@rcritten
Copy link
Collaborator Author

rcritten commented Sep 16, 2025

I file #371 for IPACertfileExpirationCheck

@rcritten rcritten merged commit d558499 into freeipa:master Sep 16, 2025
8 checks passed
ssidhaye added a commit to ssidhaye/freeipa that referenced this pull request Dec 16, 2025
@ssidhaye
Detect externally signed certificates in the
1d39217 
IPACertmongerExpirationCheck and report that
they will not auto-renew

Related : freeipa/freeipa-healthcheck#104
Related : freeipa/freeipa-healthcheck#366

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

@frasertweedale frasertweedale frasertweedale approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Report if caSigningCert is tracked but externally signed

2 participants

@rcritten @frasertweedale