Comments (4)
Kellel
commented on July 18, 2024
This might be a dupe of #9
from certmgr.
ferringb
commented on July 18, 2024
At this point, certmgr will regenerate any cert/key/ca if the spec has an mtime newer than that content. There should be an additional CA comparison check iirc, but consider it equivalent.
That's the mechanism it uses to track state; if a spec is dropped in place that has an old mtime, it's not going to fly.
Either way... I think the issue you're running into is probably resolved already in recent certmgr instances. One debug tip- if the spec doesn't specify a restart/reload for the service consuming the cert, then even if the spec changes (and cert/key is regenerated) the service keeps uses the cert's it loaded into memory.
That 'gotcha' is very, very frequently overlooked.
from certmgr.
ferringb
commented on July 18, 2024
Closing this out; in general, certmgr doesn't validate that the pki it wrote to disk in previous runs still matches the new CA it fetches.
This seems to be an intentional design decision; I'm not a huge fan of it, but wiring the validation in is likely non trivial. If someone wishes to take a stab at it, patches welcome however.
from certmgr.
ferringb
commented on July 18, 2024
Note: the ticket linkage wasn't handled fully, but this is fixed in current certmgr master branch via @anita-tenjarla 's validation work, and my tweaks to wire those checks in as a way to force regeneration.
Expect this work to be released in the 2.0 version of certmgr
from certmgr.
Related Issues (20)
- incorrect version for latest 3.0.3 release HOT 1
- Any way to dump certificate bundle? HOT 2
- docs: building and readme outdated HOT 2
- spec as yaml broken HOT 2
- Build fails on riscv64 FreeBSD
- Cut a new release
- "Lookup requires cgo" error when testing the README specs example HOT 3
- cert: no CA file provided, won't write to disk HOT 3
- Make certmgr only look for *.json, *.yaml or *.yml files in certmgr.d dir
- If a CA is renewed call svc manager restart/reload.
- SwissSign certificate filenames contain ':' character HOT 1
- Feature: Certmgr as an in-process supervisor HOT 5
- Certmgr should provide the ability to block startup until all certificates have been created HOT 2
- certmgr ensure doesn't regenerate key if algorithm or size changes HOT 2
- support self-signed certificates HOT 1
- Support on Windows HOT 2
- Incompatibility with cfssl/csr HOT 2
- Feature: Homebrew Install for macOS
- CI builds are broken after go modules
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from certmgr.