Replace expired certificate?

[jcpunk]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 7.24.0
• Ruby:
• Distribution: CentOS Stream 9
• Module version: 2.0.1

How to reproduce (e.g Puppet code you use)

class { '::openssl::certificate':
     x509_certs => { '/path/to/certificate.crt' => {  ensure      => 'present',
                                                      password    => 'j(D$',
                                                      private_key => '/there/is/my/private.key',
                                                      days        => 4,
                                                      force       => false,}
                    }
}

What are you seeing

When the certificate expires, puppet doesn't appear to care

What behaviour did you expect instead

When the certificate expires, a new cert would be generated from the private key

Output log

Any additional information you'd like to impart

[rtib]

The current provider https://github.com/voxpupuli/puppet-openssl/blob/1b41c6e68dd4bc0cf28a047ea61cf03cdf70ca16/lib/puppet/provider/x509_cert/openssl.rb#L58-L67 does already check for some attributes, but not for the dates of the certificate.

I did that in an alternative provider like

def exists?
  return false unless Pathname.new(resource[:path]).exist?

  debug 'Certificate found, checking validity.'
  cert = OpenSSL::X509::Certificate.new(File.read(resource[:path]))
  debug "Certificate parsed as #{cert.pretty_inspect}"
  raise 'No validity dates found in certificate.' if cert.not_before.nil? || cert.not_after.nil?

  (cert.not_after - Time.now).to_i > (30 * 24 * 3600) # certificate valid for more than 30 days
end

This will consider the certificate absent if there is less than 30 days left to its not_after date, i.e. the certificate expires within 30 days. If the resource is considered absent, Puppet will call the create method of the provider.