New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL Certificate renew without node private key change #286
Conversation
SonarCloud Quality Gate failed. 0 Bugs No Coverage information |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor nitpick
51b970c
to
37cadbc
Compare
Hi @Wayonb @Jaguar0625 , would you like to review this PR? I believe it is important for the near future node maintenance, This new feature detects, warns, and re-generates node certs when they are close to expiration. It does NOT include node private key regeneration. That feature requires a harvesters.dat migration tool that is outside my expertise. Once we have a migration tool, I can upgrade the How to test it:
About to expire simulation
Would you like to include this feature as-is (without private key regeneration)? I'm keen to release bootstrap before adding symbol-network to the mix and other code improvements and clean up. |
37cadbc
to
e39323b
Compare
fd2e4a2
to
206baca
Compare
feat: certificate expiration warnings when upgrading feat: certificate expiration check in healthCheck Note: Node Private Keys are kept, not regenerated
e39323b
to
33ed30e
Compare
SonarCloud Quality Gate failed. 0 Bugs No Coverage information |
9627f1a
to
347034c
Compare
feat: renewCertificates command - Only updates when the certificate expires in less than 30 days.
feat: certificate expiration warnings when upgrading - When the certificate expires in less than 30 days
feat: certificate expiration check in healthCheck - Fails when the certificate expires in less than 30 days.
This is the initial work for the https://github.com/symbol/symbol-bootstrap/issues/285
Currently, this PR will help node admins renewing a node SSL certificate but without changing the node/transport private key (or main private key). Ideally, the SSL node certificate is renewed, a new node/transport private key should be used. This requires harvesters.dat migration and a node key relink (link command handles that already).
Once we have the harverters.dat migration tool (catapult tool or ts native if possible), I would include the migration to the
renewCertificates
so the migration is fairly simple while keeping the security standards by default.