Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL Certificate renew without node private key change #286

Merged
merged 1 commit into from Jan 14, 2022
Merged

SSL Certificate renew without node private key change #286

merged 1 commit into from Jan 14, 2022

Conversation

fboucquez
Copy link
Owner

@fboucquez fboucquez commented Aug 12, 2021
edited

feat: renewCertificates command - Only updates when the certificate expires in less than 30 days.
feat: certificate expiration warnings when upgrading - When the certificate expires in less than 30 days
feat: certificate expiration check in healthCheck - Fails when the certificate expires in less than 30 days.

This is the initial work for the https://github.com/symbol/symbol-bootstrap/issues/285

Currently, this PR will help node admins renewing a node SSL certificate but without changing the node/transport private key (or main private key). Ideally, the SSL node certificate is renewed, a new node/transport private key should be used. This requires harvesters.dat migration and a node key relink (link command handles that already).

Once we have the harverters.dat migration tool (catapult tool or ts native if possible), I would include the migration to the renewCertificates so the migration is fairly simple while keeping the security standards by default.

@fboucquez fboucquez marked this pull request as draft August 12, 2021 13:46
@sonarcloud
Copy link

sonarcloud bot commented Aug 13, 2021

SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot E 1 Security Hotspot
Code Smell A 1 Code Smell

No Coverage information No Coverage information
0.0% 0.0% Duplication

segfaultxavi
segfaultxavi reviewed Aug 30, 2021
View reviewed changes
Copy link
Contributor

@segfaultxavi segfaultxavi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor nitpick

src/commands/renewCertificates.ts Outdated Show resolved Hide resolved
@fboucquez fboucquez changed the title Certificate renew POC SSL Certificate renew without node private key change Jan 12, 2022
@fboucquez fboucquez marked this pull request as ready for review January 12, 2022 03:32
@fboucquez
Copy link
Owner Author

fboucquez commented Jan 12, 2022
edited

Hi @Wayonb @Jaguar0625 , would you like to review this PR? I believe it is important for the near future node maintenance,

This new feature detects, warns, and re-generates node certs when they are close to expiration. It does NOT include node private key regeneration. That feature requires a harvesters.dat migration tool that is outside my expertise. Once we have a migration tool, I can upgrade the renewCertificates in a future PR.

How to test it:
Not expired

symbol-bootstrap wizard
symbol-bootstrap config -c custom-preset.yml
symbol-bootstrap config -c custom-preset.yml  --upgrade (no cert warning)
symbol-bootstrap renewCertificates -c custom-preset.yml  (no cert upgrade)
symbol-bootstrap renewCertificates  (no cert upgrade)

About to expire simulation

symbol-bootstrap wizard
echo 'certificateExpirationWarningInDays: 376' >> custom-preset.yml  (Certificate is always "about to expire")
symbol-bootstrap config -c custom-preset.yml
symbol-bootstrap config -c custom-preset.yml --upgrade  (shows warning)
symbol-bootstrap renewCertificates -c custom-preset.yml (cert upgrade)
symbol-bootstrap renewCertificates (cert upgrade, prompts keys)

Would you like to include this feature as-is (without private key regeneration)? I'm keen to release bootstrap before adding symbol-network to the mix and other code improvements and clean up.

@fboucquez
feat: renewCertificates commands
33ed30e 
feat: certificate expiration warnings when upgrading
feat: certificate expiration check in healthCheck

Note: Node Private Keys are kept, not regenerated
@sonarcloud
Copy link

sonarcloud bot commented Jan 14, 2022

SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot E 1 Security Hotspot
Code Smell A 1 Code Smell

No Coverage information No Coverage information
0.0% 0.0% Duplication

@fboucquez fboucquez merged commit 030d497 into dev Jan 14, 2022
@fboucquez fboucquez deleted the certificates_renewal branch January 14, 2022 19:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@segfaultxavi segfaultxavi segfaultxavi left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@fboucquez @segfaultxavi