Bug 461270 - replace spacewalk-ssl-cert-check with certwatch
Summary: replace spacewalk-ssl-cert-check with certwatch
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Spacewalk
Classification: Community
Component: Server
Version: 0.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jan Pazdziora (Red Hat)
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: space11
TreeView+ depends on / blocked
 
Reported: 2008-09-05 13:24 UTC by Jesus M. Rodriguez
Modified: 2010-08-19 08:24 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2010-08-19 08:24:00 UTC
Embargoed:

Attachments (Terms of Use)
Trival patch to require crypto-utils instead of spacewalk-ssl-cert-check (879 bytes, patch)
2008-09-05 14:13 UTC, Rob James 		no flags Details | Diff
View All

Description Jesus M. Rodriguez 2008-09-05 13:24:08 UTC 
spacewalk-ssl-cert-check provides /etc/cron.daily/rhn-ssl-cert-check
which checks for expiration of the SSL certs in the satellite or proxy
Apache config files and sends an email if they're nearing expiry. This
seems pretty close to what certwatch does (provided by crypto-utils in
RHEL5 and Fedora 9).

For Satellite this would probably need to wait until it uses the
standard Apache config file location in /etc/httpd/conf.d (does this
sound right?), but does anyone see any issues with changing this for
Proxy? (this would mean emails go to root instead of the
traceback_email setting in rhn.conf, but that seems fairly minor)
Comment 1 Rob James 2008-09-05 14:13:50 UTC 
Created attachment 315907 [details]
Trival patch to require crypto-utils instead of spacewalk-ssl-cert-check
Comment 3 Jan Pazdziora (Red Hat) 2010-05-04 12:43:29 UTC 
Taking.
Comment 4 Jan Pazdziora (Red Hat) 2010-05-04 12:55:54 UTC 
It seems to be actually pretty easy to change the email destination to be the Satellite administrator, with

export CERTWATCH_OPTS="--address $( spacewalk-cfg-get traceback_mail )"

line in /etc/sysconfig/httpd.

The bigger problem is that the email then is

From: root <root.com>
To: admin
Subject: The certificate for vmware145.example.com will expire in 2 days

 ################# SSL Certificate Warning ################

  Certificate for hostname 'vmware145.example.com', in file:
     /etc/pki/tls/certs/spacewalk.crt

  The certificate needs to be renewed; this can be done
  using the 'genkey' program.

  Browsers will not be able to correctly connect to this
  web site using SSL until the certificate is renewed.

 ##########################################################
                                  Generated by certwatch(1)

which is certainly an improvement to our current

From: root <root.com>
To: admin
Subject: /usr/share/ssl/ssl-cert-check: Certificate for FILE will expire in 60-days or less

The SSL certificate for FILE will expire on Apr 22 12:32:49 2036 GMT

which does not state the hostname nor the file name in the email body.

However, the email text generated by certwatch recommends to use genkey to renew the certificate. We most probably want to recommend rhn-ssl-tool ... but there is no way to change the text produced by certwatch via some parameters, and the output is piped directly to sendmail.

So it looks like we'll still have to have our own package anyway, probably duplicating the certwatch job script.
Comment 5 Jan Pazdziora (Red Hat) 2010-05-04 14:21:11 UTC 
Done in Spacewalk master, 78291f1becc421fb431ad200b776b58821fe93dc.

Tagged as spacewalk-ssl-cert-check-2.0-1.
Comment 6 Jan Pazdziora (Red Hat) 2010-05-05 09:54:22 UTC 
The package was built and is in the nightly repo.

Please give it a try -- it can be installed on Spacewalk 1.0 as well.
Comment 7 Milan Zázrivec 2010-08-19 08:24:00 UTC 
Spacewalk 1.1 has been released.
Note You need to log in before you can comment on or make changes to this bug.