search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.12k stars 431 forks source link

Renew SCEP certificates 180 days before expiration #19684

Closed noahtalerman closed 2 months ago

noahtalerman commented 5 months ago

Goal

User story
As an IT admin,
I want Fleet to automatically renew the SCEP certificates installed on my hosts 180 days from expiration
so that my SCEP certificates don't expire when an end user goes on parental leave and thus, I don't have to turn on MDM again these macOS hosts.

Context

It looks like this is what Jamf does (from this doc): Screenshot 2024-06-12 at 10 03 42 AM

Today, Fleet renews certificates 30 days from expiration:

Changes

Product

Engineering

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

Manual testing steps

  1. Configure a value less than 180 days for mdm.apple_scep_signer_validity_days when you start your server. This forces Fleet to issue certificates that expire in less than 180 days, so you can see the renewal process without having to wait half a year.
  2. Turn on MDM features for a new macOS host.
  3. Verify the cert expires within the time you set above
  4. restart the server without the expire date set above
  5. Trigger the cleanups_then_aggregation job, which should enqueue a cert renewal
  6. Verify that the cert is renewed. You can do this by searching for the "Fleet Identity" certificate in Keychain
  7. As long as mdm.apple_scep_signer_validity_days is < 180, we'll renew the cert on each cron run. To stop this process, restart the server without the setting set (defaults to 1 year), run the cron again, and verify that the cert issued is for 1 year.

Testing notes

Confirmation

  1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
  2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.
georgekarrv commented 4 months ago

Hey team! Please add your planning poker estimate with Zenhub @dantecatalfamo @ghernandez345 @gillespi314 @jahzielv @mna @roperzh

georgekarrv commented 4 months ago

Just a call out that this will retry the next cron instead of next day

PezHub commented 3 months ago

QA Notes: I was able to follow the steps above and can confirm the cert renews after the cron job runs

Here's the cert after I set my server variable to expire in 100 days 100days

Here's the cert once the server variable was removed and the cron job ran. The expire date was updated renewed

QA Approved!

fleet-release commented 3 months ago

Certificates renewed, Like leaves in spring, not autumn. Admin worries eased.

noahtalerman commented 3 months ago

Hey @marko-lisica I passed this issue to you. When you get the chance (no rush) can you please add this info to a guide/article? Can be one sentence.

Feel free to get help from folks on the engineering team if you have too much on your plate.

noahtalerman commented 2 months ago

When you get the chance (no rush) can you please add this info to a guide/article? Can be one sentence.

TODO @marko-lisica

Potential locations:

noahtalerman commented 2 months ago

When you get the chance (no rush) can you please add this info to a guide/article? Can be one sentence.

TODO @marko-lisica

Potential locations:

Hey @marko-lisica just giving you another ping!

marko-lisica commented 2 months ago

When you get the chance (no rush) can you please add this info to a guide/article? Can be one sentence. TODO @marko-lisica Potential locations:

Hey @marko-lisica just giving you another ping!

@noahtalerman Here's the PR, could you take a look?

noahtalerman commented 2 months ago

PR is merged!

fleet-release commented 2 months ago

Renewal early dawn, SCEP certificates reborn, Effortless, like cloud-borne morn.