Kellel
commented
6 years ago This might be a dupe of https://github.com/cloudflare/certmgr/issues/9
Closed Kellel closed 5 years ago
Kellel
commented
6 years ago This might be a dupe of https://github.com/cloudflare/certmgr/issues/9
ferringb
commented
6 years ago At this point, certmgr will regenerate any cert/key/ca if the spec has an mtime newer than that content. There should be an additional CA comparison check iirc, but consider it equivalent.
That's the mechanism it uses to track state; if a spec is dropped in place that has an old mtime, it's not going to fly.
Either way... I think the issue you're running into is probably resolved already in recent certmgr instances. One debug tip- if the spec doesn't specify a restart/reload for the service consuming the cert, then even if the spec changes (and cert/key is regenerated) the service keeps uses the cert's it loaded into memory.
That 'gotcha' is very, very frequently overlooked.
ferringb
commented
5 years ago Closing this out; in general, certmgr doesn't validate that the pki it wrote to disk in previous runs still matches the new CA it fetches.
This seems to be an intentional design decision; I'm not a huge fan of it, but wiring the validation in is likely non trivial. If someone wishes to take a stab at it, patches welcome however.
ferringb
commented
5 years ago Note: the ticket linkage wasn't handled fully, but this is fixed in current certmgr master branch via @anita-tenjarla 's validation work, and my tweaks to wire those checks in as a way to force regeneration.
Expect this work to be released in the 2.0 version of certmgr
If certmgr starts and sees that a certificate already exists that is not past it's expiration it will not validate that it matches the parameters specified in the certificate spec. This ends up being an issue in cases when you want to do things like change a SAN.