Comments (4)
This might be a dupe of #9
from certmgr.
At this point, certmgr will regenerate any cert/key/ca if the spec has an mtime newer than that content. There should be an additional CA comparison check iirc, but consider it equivalent.
That's the mechanism it uses to track state; if a spec is dropped in place that has an old mtime, it's not going to fly.
Either way... I think the issue you're running into is probably resolved already in recent certmgr instances. One debug tip- if the spec doesn't specify a restart/reload for the service consuming the cert, then even if the spec changes (and cert/key is regenerated) the service keeps uses the cert's it loaded into memory.
That 'gotcha' is very, very frequently overlooked.
from certmgr.
Closing this out; in general, certmgr doesn't validate that the pki it wrote to disk in previous runs still matches the new CA it fetches.
This seems to be an intentional design decision; I'm not a huge fan of it, but wiring the validation in is likely non trivial. If someone wishes to take a stab at it, patches welcome however.
from certmgr.
Note: the ticket linkage wasn't handled fully, but this is fixed in current certmgr master branch via @anita-tenjarla 's validation work, and my tweaks to wire those checks in as a way to force regeneration.
Expect this work to be released in the 2.0 version of certmgr
from certmgr.
Related Issues (20)
- incorrect version for latest 3.0.3 release HOT 1
- Any way to dump certificate bundle? HOT 2
- docs: building and readme outdated HOT 2
- spec as yaml broken HOT 2
- Build fails on riscv64 FreeBSD
- Cut a new release
- "Lookup requires cgo" error when testing the README specs example HOT 3
- cert: no CA file provided, won't write to disk HOT 3
- Make certmgr only look for *.json, *.yaml or *.yml files in certmgr.d dir
- If a CA is renewed call svc manager restart/reload.
- SwissSign certificate filenames contain ':' character HOT 1
- Feature: Certmgr as an in-process supervisor HOT 5
- Certmgr should provide the ability to block startup until all certificates have been created HOT 2
- certmgr ensure doesn't regenerate key if algorithm or size changes HOT 2
- support self-signed certificates HOT 1
- Support on Windows HOT 2
- Incompatibility with cfssl/csr HOT 2
- Feature: Homebrew Install for macOS
- CI builds are broken after go modules
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from certmgr.