search

aarnaud / vault-pki-exporter

Provides information about X509 certificate on HashiCorp Vault for Prometheus and InfluxDB
9 stars 12 forks source link

Certificate map only considers common_name #28

Open wbollock opened 17 hours ago

wbollock commented 17 hours ago

In my environment we commonly issue cerificates for the same instance with multiple OUs, for example:

# cert 1
Subject: OU = api-consumer, CN = prometheus.foobar.com

# cert 2
Subject: OU = basic cert, CN = prometheus.foobar.com

A lot of the certificate management code considers the common_name as the unique identifier, so multiple OUs are clobbered and metrics will only exist for 1 of the 2 certs.

https://github.com/aarnaud/vault-pki-exporter/blob/1fc17a7e55c7b2c34b70662fd6937d7167103a68/pkg/vault-mon/pki.go#L180-L244

On our fork I had a quick and dirty PR to fix the issue that will be cleaned up, just making the issue for awareness - https://github.com/linode-obs/vault-pki-exporter/pull/10

wbollock commented 17 hours ago

@wbh1 brought up that the cert fingerprint may be a better way to identify the cert too which I like for now

aarnaud commented 16 hours ago

I see your point, CN was use to avoid having alarm when you renew the cert, the old one expire and the new one replace the old one