Bug 461270

Summary: replace spacewalk-ssl-cert-check with certwatch
Product: [Community] Spacewalk Reporter: Jesus M. Rodriguez <jesusr>
Component: ServerAssignee: Jan Pazdziora <jpazdziora>
Status: CLOSED CURRENTRELEASE QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 0.2CC: cperry, jpazdziora, rssjames
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-19 08:24:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 585232    
Attachments:
Description Flags
Trival patch to require crypto-utils instead of spacewalk-ssl-cert-check none

Description Jesus M. Rodriguez 2008-09-05 13:24:08 UTC 
spacewalk-ssl-cert-check provides /etc/cron.daily/rhn-ssl-cert-check
which checks for expiration of the SSL certs in the satellite or proxy
Apache config files and sends an email if they're nearing expiry. This
seems pretty close to what certwatch does (provided by crypto-utils in
RHEL5 and Fedora 9).

For Satellite this would probably need to wait until it uses the
standard Apache config file location in /etc/httpd/conf.d (does this
sound right?), but does anyone see any issues with changing this for
Proxy? (this would mean emails go to root instead of the
traceback_email setting in rhn.conf, but that seems fairly minor)
Comment 1 Rob James 2008-09-05 14:13:50 UTC 
Created attachment 315907 [details]
Trival patch to require crypto-utils instead of spacewalk-ssl-cert-check
Comment 3 Jan Pazdziora 2010-05-04 12:43:29 UTC 
Taking.
Comment 4 Jan Pazdziora 2010-05-04 12:55:54 UTC 
It seems to be actually pretty easy to change the email destination to be the Satellite administrator, with

export CERTWATCH_OPTS="--address $( spacewalk-cfg-get traceback_mail )"

line in /etc/sysconfig/httpd.

The bigger problem is that the email then is

From: root <root.com>
To: admin
Subject: The certificate for vmware145.example.com will expire in 2 days

 ################# SSL Certificate Warning ################

  Certificate for hostname 'vmware145.example.com', in file:
     /etc/pki/tls/certs/spacewalk.crt

  The certificate needs to be renewed; this can be done
  using the 'genkey' program.

  Browsers will not be able to correctly connect to this
  web site using SSL until the certificate is renewed.

 ##########################################################
                                  Generated by certwatch(1)

which is certainly an improvement to our current

From: root <root.com>
To: admin
Subject: /usr/share/ssl/ssl-cert-check: Certificate for FILE will expire in 60-days or less

The SSL certificate for FILE will expire on Apr 22 12:32:49 2036 GMT

which does not state the hostname nor the file name in the email body.

However, the email text generated by certwatch recommends to use genkey to renew the certificate. We most probably want to recommend rhn-ssl-tool ... but there is no way to change the text produced by certwatch via some parameters, and the output is piped directly to sendmail.

So it looks like we'll still have to have our own package anyway, probably duplicating the certwatch job script.
Comment 5 Jan Pazdziora 2010-05-04 14:21:11 UTC 
Done in Spacewalk master, 78291f1becc421fb431ad200b776b58821fe93dc.

Tagged as spacewalk-ssl-cert-check-2.0-1.
Comment 6 Jan Pazdziora 2010-05-05 09:54:22 UTC 
The package was built and is in the nightly repo.

Please give it a try -- it can be installed on Spacewalk 1.0 as well.
Comment 7 Milan Zázrivec 2010-08-19 08:24:00 UTC 
Spacewalk 1.1 has been released.