Open jcpunk opened 1 year ago
The current provider https://github.com/voxpupuli/puppet-openssl/blob/1b41c6e68dd4bc0cf28a047ea61cf03cdf70ca16/lib/puppet/provider/x509_cert/openssl.rb#L58-L67 does already check for some attributes, but not for the dates of the certificate.
I did that in an alternative provider like
def exists?
return false unless Pathname.new(resource[:path]).exist?
debug 'Certificate found, checking validity.'
cert = OpenSSL::X509::Certificate.new(File.read(resource[:path]))
debug "Certificate parsed as #{cert.pretty_inspect}"
raise 'No validity dates found in certificate.' if cert.not_before.nil? || cert.not_after.nil?
(cert.not_after - Time.now).to_i > (30 * 24 * 3600) # certificate valid for more than 30 days
end
This will consider the certificate absent if there is less than 30 days left to its not_after date, i.e. the certificate expires within 30 days. If the resource is considered absent, Puppet will call the create method of the provider.
Affected Puppet, Ruby, OS and module versions/distributions
How to reproduce (e.g Puppet code you use)
What are you seeing
When the certificate expires, puppet doesn't appear to care
What behaviour did you expect instead
When the certificate expires, a new cert would be generated from the private key
Output log
Any additional information you'd like to impart