Show warning for self-generated CA certificates that are...

... unused Change-Id: I8c8ffd9fcdb32009fbb6c9353467d54bb2ce0862 Reviewed-on: http://review.couchbase.org/c/ns_server/+/162129 Tested-by: Timofey Barmin <timofey.barmin@couchbase.com> Reviewed-by: Artem Stemkovski <artem@couchbase.com>
couchbase · Sep 28, 2021 · 09e1e6b · 09e1e6b
1 parent 6f95bee
commit 09e1e6b
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/src/ns_error_messages.erl b/src/ns_error_messages.erl
@@ -289,6 +289,9 @@ reload_node_certificate_error({test_server_error, Reason}) ->
 reload_node_certificate_error(could_not_decrypt) ->
     <<"Failed to decrypt provided private key. Check password">>.
 
+node_certificate_warning(unused) ->
+    <<"This certificate is auto-generated and doesn't seem to be used by any "
+      "node anymore">>;
 node_certificate_warning(mismatch) ->
     <<"Certificate is not signed with cluster CA.">>;
 node_certificate_warning(expired) ->

diff --git a/src/ns_server_cert.erl b/src/ns_server_cert.erl
@@ -1013,7 +1013,18 @@ get_warnings() ->
                       end,
                   ExpWarnings = expiration_warnings(CAProps),
                   Id = proplists:get_value(id, CAProps),
-                  [{{ca, Id}, W} || W <- SelfSignedWarnings ++ ExpWarnings]
+                  UnusedWarnings =
+                      case proplists:get_value(type, CAProps) of
+                          generated ->
+                              CAPem = proplists:get_value(pem, CAProps, <<>>),
+                              case filter_nodes_by_ca(Nodes, CAPem) of
+                                  [] -> [unused];
+                                  _ -> []
+                              end;
+                          _ -> []
+                      end,
+                  [{{ca, Id}, W} || W <- SelfSignedWarnings ++ ExpWarnings ++
+                                         UnusedWarnings]
           end, trusted_CAs(props)),
     NodeWarnings ++ CAWarnings.