Bug 461270 - replace spacewalk-ssl-cert-check with certwatch
replace spacewalk-ssl-cert-check with certwatch
Status: CLOSED CURRENTRELEASE
Product: Spacewalk
Classification: Community
Component: Server (Show other bugs)
0.2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
Red Hat Satellite QA List
:
Depends On:
Blocks: space11
  Show dependency treegraph
 
Reported: 2008-09-05 09:24 EDT by Jesus M. Rodriguez
Modified: 2010-08-19 04:24 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-08-19 04:24:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Trival patch to require crypto-utils instead of spacewalk-ssl-cert-check (879 bytes, patch)
2008-09-05 10:13 EDT, Rob James
no flags Details | Diff

  None (edit)
Description Jesus M. Rodriguez 2008-09-05 09:24:08 EDT
spacewalk-ssl-cert-check provides /etc/cron.daily/rhn-ssl-cert-check
which checks for expiration of the SSL certs in the satellite or proxy
Apache config files and sends an email if they're nearing expiry. This
seems pretty close to what certwatch does (provided by crypto-utils in
RHEL5 and Fedora 9).

For Satellite this would probably need to wait until it uses the
standard Apache config file location in /etc/httpd/conf.d (does this
sound right?), but does anyone see any issues with changing this for
Proxy? (this would mean emails go to root instead of the
traceback_email setting in rhn.conf, but that seems fairly minor)
Comment 1 Rob James 2008-09-05 10:13:50 EDT
Created attachment 315907 [details]
Trival patch to require crypto-utils instead of spacewalk-ssl-cert-check
Comment 3 Jan Pazdziora 2010-05-04 08:43:29 EDT
Taking.
Comment 4 Jan Pazdziora 2010-05-04 08:55:54 EDT
It seems to be actually pretty easy to change the email destination to be the Satellite administrator, with

export CERTWATCH_OPTS="--address $( spacewalk-cfg-get traceback_mail )"

line in /etc/sysconfig/httpd.

The bigger problem is that the email then is

From: root <root@vmware145.example.com>
To: admin@example.com
Subject: The certificate for vmware145.example.com will expire in 2 days

 ################# SSL Certificate Warning ################

  Certificate for hostname 'vmware145.example.com', in file:
     /etc/pki/tls/certs/spacewalk.crt

  The certificate needs to be renewed; this can be done
  using the 'genkey' program.

  Browsers will not be able to correctly connect to this
  web site using SSL until the certificate is renewed.

 ##########################################################
                                  Generated by certwatch(1)

which is certainly an improvement to our current

From: root <root@vmware145.example.com>
To: admin@example.com
Subject: /usr/share/ssl/ssl-cert-check: Certificate for FILE will expire in 60-days or less

The SSL certificate for FILE will expire on Apr 22 12:32:49 2036 GMT

which does not state the hostname nor the file name in the email body.

However, the email text generated by certwatch recommends to use genkey to renew the certificate. We most probably want to recommend rhn-ssl-tool ... but there is no way to change the text produced by certwatch via some parameters, and the output is piped directly to sendmail.

So it looks like we'll still have to have our own package anyway, probably duplicating the certwatch job script.
Comment 5 Jan Pazdziora 2010-05-04 10:21:11 EDT
Done in Spacewalk master, 78291f1becc421fb431ad200b776b58821fe93dc.

Tagged as spacewalk-ssl-cert-check-2.0-1.
Comment 6 Jan Pazdziora 2010-05-05 05:54:22 EDT
The package was built and is in the nightly repo.

Please give it a try -- it can be installed on Spacewalk 1.0 as well.
Comment 7 Milan Zázrivec 2010-08-19 04:24:00 EDT
Spacewalk 1.1 has been released.

Note You need to log in before you can comment on or make changes to this bug.