Bug 1964728

Summary: private sub directory not evaluated / concatenated pem files
Product: [Fedora] Fedora EPEL Reporter: Leon Fauster <leonfauster>
Component: x509watchAssignee: Robert Scheck <redhat-bugzilla>
Status: ASSIGNED --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel8CC: redhat-bugzilla
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Leon Fauster 2021-05-25 22:59:10 UTC 
Hallo Robert,

Description of problem:

Context:

Some software uses concatenated pem files (private key and a corresponding certificate
in one file). 

Such files are stored under /etc/pki/tls/private/ to reflect the requirements of
the private key (secret). 

x509watch unfortunately excludes /private/. This results in not finding pem files under
/etc/pki/tls/private/. The same happens when --directory /etc/pki/tls/private/ parameter
is given. 


Right now we use a dirty hack:

sed -i '/exclude/ s/private/ignore/'  /usr/bin/x509watch


How reproducible:
Steps to Reproduce:
1. cat key-, certexpired-, intercert-file to /etc/pki/tls/private/test.pem 
2. /usr/bin/x509watch
3. no results

Expected results:
stdout: /etc/pki/tls/private/test.pem () is not valid since 2021-05-09


Suggestion/solutions:

1. Delete "private" from exclude array or

2. as above insinuated: allow an explicit given recursive searched filesystem
   path (--directory) to be not excluded / forced. This would allow to do a setup
   via OPTIONS in /etc/sysconfig/x509watch or

3. allow the traversal search through links. this would allow to setup the service
   with the help of "ln -s /etc/pki/tls/private /etc/pki/tls/services"


Danke!
Comment 1 Leon Fauster 2021-07-16 18:36:21 UTC 
Any update? Thx.