Open manicole opened 3 years ago
joe-elliott
commented
3 years ago It appears we do not. I believe this is the line that is failing:
https://github.com/joe-elliott/cert-exporter/blob/master/src/exporters/certHelpers.go#L61
If go has a method for parsing the CRL format perhaps we could add it here. Are you able to submit a PR?
manicole
commented
3 years ago Thanks for your quick answer! I can't submit a PR at the moment, I was looking for an already implemented way to do it. It could be an enhancement then ... but I doubt I'll have the opportunity to provide a solution, sorry :/
joe-elliott
commented
3 years ago It appears that there is support in Go for parsing CRL:
https://golang.org/pkg/crypto/x509/#ParseCRL
but looking at the return value I'm not sure what'd you want reported out of this?
manicole
commented
3 years ago No it won't do ... I hoped to get the expiry time out of such a parser, but I can't find one in this list.
The thing is that if the CRL expires, all certs will be blocked temporarily unless CRL is regenerated. Not revoked, but still blocked. Which is really annoying when in production as you can imagine :/
BernhardGruen
commented
1 year ago Hey,
ParseRecovationList and its type RevocationList (there the attribute NextUpdate) should solve this. If NextUpdate is smaller than current time the CRL is expired.
I am currently looking for a solution to this problem as well and came across this issue - not using cert-exporter myself for the moment.
joe-elliott
commented
1 year ago If either of you is able to put together a PR to add this ability to cert-exporter, I would be happy to merge. I personally don't have the environment to test these changes or understand what a valuable solution would look like.
If neither of you feel comfortable with Go maybe you could coach me through the change?
BernhardGruen
commented
1 year ago Hey,
I am happy to provide a few files to make tests possible for you.
First you need a Secret that contains the ca.crl as data (I will use stringData in this example to make it easier to use and shorter too).
I created the date in ca.crl using the Easy-RSA script and the provided quick start guide and then executing the gen-crl command.
This results in a file pki/crl.pem which will later be part of the Secret (besides the Certificate of the CA in ca.crt) that should ideally be scanned by cert-exporter.
For even better tests I created two CAs and also two CRLs (both in the same Secret).
The CAs are called "Easy-RSA CA" and "Another Easy-RSA CA". Both CRLs will need their next update on 2023-06-08 (info can also be read out with openssl -text -in crl.pem and is found in the field "Next Update").
I have attached a TGZ file that contains nginx-test.yaml and ca-secret.yaml. They can be directly applied to a cluster and apply into namespace default. A running ingress-nginx is needed to actually show the working Client Authentication (this is configured using annotations for the Ingress). I also included the CA (including the Easy-RSA script). For test purposes the CA does not have a password which makes it easy to create a newer CRL for example.
Unfortunately I can't add the TGZ file and I had to rename the yaml files to .txt
In case you need any more information I am happy to provide them.
Hi, Does cert-exporter supports CRL (Certificate Revocation List) ?
I tried it using 2 ways :
Add CRL in .pem format in my CA Secret I created my Secret with
As a result in cert-exporter Pod, I got the following logs :
💡 The ca.crt of my CA Secret is successfully recognized by cert-exporter.
Add CRL in .pem format as an independant Secret I created my Secret with
As a result in cert-exporter Pod, I got the following logs :
My cert-exporter deployment is
A CRL format looks like
Thanks for your help!