Feature Request: Notifications

[shoopdawoop]

Notifications for events, e.g. successful or failed auto-renewals.

This could be useful when running the step command as a service, e.g. in step ca renew -daemon mode, which could become something like step ca renew -daemon -notification script or step ca renew -daemon -notification pushover, triggering a preconfigured notification or simply running a custom shell script that does the job.

[mmalone]

@shoopdawoop better alerts are a good idea. We're thinking about the best way to do this.

In the meantime, I think you could use the --exec command to step ca renew to call a script after a certificate has been successfully renewed.

You could also use something like step certificate inspect https://google.com --format json | jq -r .validity.end to get the expiry date of a certificate in a script (e.g., running on a systemd timer) and send an alert if it's approaching expiry.

I remember discussing a simpler mechanism to detect whether a certificate is about to expire (some subcommand that let's you ask "is this certificate within of expiring?" and get a 0/1 exit value) but I don't think we ever built it. We probably should, but the jq approach works decently for now I guess.

Hopefully this helps! Happy to answer any follow-up questions, and if you get something knocked together I'd love to see it!

[shoopdawoop]

@mmalone thank you,

right now I am using certbot renew --post-hook "some-script.sh" on the client side, so I will probably stick with that for now (no need to install step on the client).

So I guess I should add to my suggestion a notification functionality on the server side, which would be quite useful as well. I might just monitor the servers logs and see how well that works for me.

[mmalone]

@shoopdawoop ah, ok. Didn't realize you wanted this stuff server-side.

Monitoring the logs should work pretty well. You may want to add:

    "logger": {
        "format": "json"
    },

to your ca.json to make them a bit easier to parse programmatically.

We have a few open issues around exporting information from the step-ca database, and we're planning some alerting functionality for our hosted product (alerts for certificates that are about to expire are high priority). So you should see more functionality here soon.

[dopey]

Hey, circling back on this issue - we've released certificate observability (visibility, alerting, monitoring) as part of our hosted product. You can "link" an open source CA to the hosted product and start seeing new certificates in the UI.

Linking a single open source CA is free. Sign up here: https://info.smallstep.com/certificate-manager-early-access-mvp/, and follow the directions to link an existing CA. Encourage anyone looking to get visibility into their step-ca PKI to try this out and give us feedback. cheers!

Note: you'll need to recreate your provisioners using the new step beta ca provisioner subcommand group. Let us know if you're having any issues there and we'll be happy to help. For real time help, come find us on Discord - https://discord.gg/ypu2T7qg9y.