Open shoopdawoop opened 4 years ago
@shoopdawoop better alerts are a good idea. We're thinking about the best way to do this.
In the meantime, I think you could use the --exec
command to step ca renew
to call a script after a certificate has been successfully renewed.
You could also use something like step certificate inspect https://google.com --format json | jq -r .validity.end
to get the expiry date of a certificate in a script (e.g., running on a systemd timer) and send an alert if it's approaching expiry.
I remember discussing a simpler mechanism to detect whether a certificate is about to expire (some subcommand that let's you ask "is this certificate within jq
approach works decently for now I guess.
Hopefully this helps! Happy to answer any follow-up questions, and if you get something knocked together I'd love to see it!
@mmalone thank you,
right now I am using certbot renew --post-hook "some-script.sh"
on the client side, so I will probably stick with that for now (no need to install step
on the client).
So I guess I should add to my suggestion a notification functionality on the server side, which would be quite useful as well. I might just monitor the servers logs and see how well that works for me.
@shoopdawoop ah, ok. Didn't realize you wanted this stuff server-side.
Monitoring the logs should work pretty well. You may want to add:
"logger": {
"format": "json"
},
to your ca.json
to make them a bit easier to parse programmatically.
We have a few open issues around exporting information from the step-ca
database, and we're planning some alerting functionality for our hosted product (alerts for certificates that are about to expire are high priority). So you should see more functionality here soon.
Hey, circling back on this issue - we've released certificate observability (visibility, alerting, monitoring) as part of our hosted product. You can "link" an open source CA to the hosted product and start seeing new certificates in the UI.
Linking a single open source CA is free. Sign up here: https://info.smallstep.com/certificate-manager-early-access-mvp/, and follow the directions to link an existing CA. Encourage anyone looking to get visibility into their step-ca PKI to try this out and give us feedback. cheers!
Note: you'll need to recreate your provisioners using the new step beta ca provisioner subcommand group. Let us know if you're having any issues there and we'll be happy to help. For real time help, come find us on Discord - https://discord.gg/ypu2T7qg9y.
Notifications for events, e.g. successful or failed auto-renewals.
This could be useful when running the step command as a service, e.g. in
step ca renew -daemon
mode, which could become something likestep ca renew -daemon -notification script
orstep ca renew -daemon -notification pushover
, triggering a preconfigured notification or simply running a custom shell script that does the job.