Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improvement: Support TLS Expiry alerts also for CA certs in cert chain #2594

Merged
merged 5 commits into from May 28, 2023
Merged

Improvement: Support TLS Expiry alerts also for CA certs in cert chain #2594

merged 5 commits into from May 28, 2023

Conversation

skaempfe
Copy link
Contributor

@skaempfe skaempfe commented Jan 12, 2023
edited

⚠️⚠️⚠️ Since we do not accept all types of pull requests and do not want to waste your time. Please be sure that you have read pull request rules:
https://github.com/louislam/uptime-kuma/blob/master/CONTRIBUTING.md#can-i-create-a-pull-request-for-uptime-kuma

Tick the checkbox if you understand [x]:

  • I have read and understand the pull request rules.

Description

Fixes #2593

Type of change

Please delete any options that are not relevant.

  • Other

Checklist

  • My code follows the style guidelines of this project
  • I ran ESLint and other linters for modified files
  • I have performed a self-review of my own code and tested it
  • I have commented my code, particularly in hard-to-understand areas
    (including JSDoc for methods)
  • My changes generate no new warnings

Screenshots (if any)

Please do not use any external image service. Instead, just paste in or drag and drop the image here, and it will be uploaded automatically.

@skaempfe
[louislam#2593] during certificate evaluation also set the cert type …
f6d0f28 
…for improved notifications
@skaempfe
[louislam#2593] renamed the method sendCertNotification to better r…
a21a47d 
…epresent what id does. Evaluate certificate expiry from all certs in chain. Send a separate notification for every cert in chain, including cert type and CN.
@skaempfe
[louislam#2501] Dashboard: Details Page
a6894d3 
- enable clickable URL on Dashboard Details if monitor is of type `mp-health`
@louislam louislam added this to the 1.22.0 milestone Feb 24, 2023
@louislam louislam added the question Further information is requested label Apr 4, 2023
@louislam
Copy link
Owner

louislam commented Apr 4, 2023

I want to test this. I am wondering how to prepare test cases.

@skaempfe
Copy link
Contributor Author

skaempfe commented Apr 5, 2023
edited

I'll try my best to describe all steps necessary but it's not trivial.

To run such a Test you need a CA (or sub ca) with an expiry date below kuma's threshold (default 7/14/21). The server certificate should have an expiry date outside of this threshold.
For testing purposes I created a self-signed CA (10 days valid) and then a server-cert signed by that CA (60 days valid).

I attached two openssl config files - one for creating the ca and one for creating the server cert:
openssl_ca.cnf.txt
openssl_cert.cnf.txt

Create a private key for the CA:

openssl genrsa -out rootCAKey.pem 2048

Create a CA - with an expiration after 10 days (the defaults are from the openssl_ca.cnf.txt):

openssl req -config ./openssl_ca.cnf.txt -x509 -sha256 -new -nodes -key rootCAKey.pem -days 3650 -out rootCACert.pem -days 10

Create a private key for the "server":

openssl genrsa -out mydomain.com.key 2048

Create the Server CSR (the defaults are from the openssl_cert.cnf.txt):

openssl req -config openssl_cert.cnf.txt -new -key mydomain.com.key -out mydomain.com.csr
note: depending on the test setup you should ensure that one of the Subject Alternate Names matches the URL which you use to access the web server. As I ran a local apache, I used "https://127.0.0.1:8443" and that's the reason I added that IP via openssl_cert.cnf.txt as one of the SAN entries.

Sign the CSR with an expiration after 60 days:

openssl x509 -req -in mydomain.com.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out mydomain.com.crt -sha256 -extensions req_ext -extfile openssl_cert.cnf.txt -days 60

Set up a webserver

using the mydomain.com.crt + mydomain.com.key and additionally set up the rootCACert.pem as CA (apache: SSLCertificateChainFile).

Start kuma and tell it to trust the CA:

NODE_EXTRA_CA_CERTS=/path/to/the/rootCACert.pem npm run dev

Set up a new HTTP(s) monitor for the web server.

  • set up at least one Notification
  • enable at least one notification on that monitor, otherwise the alert would not be triggered (monitor.js line 1127).
  • enable the check box "Certificate Expiry Notification"

As soon as the monitor is running, it will show the certificates and the expiry of the server cert (60 days) but when clicking on it you can see the root ca with "Days Remaining: 10".

furthermore you should find similar log statements when the checks are running:

2023-04-05T18:00:47+02:00 [MONITOR] DEBUG: [cert-test] Check cert
2023-04-05T18:00:47+02:00 [CERT] DEBUG: Parsing Certificate Info
2023-04-05T18:00:47+02:00 [CERT] DEBUG: [0] CC:B3:89:39:17:CF:6F:B6:F2:7B:69:27:C2:22:BD:45:99:A3:16:FB
2023-04-05T18:00:47+02:00 [CERT] DEBUG: [1] BC:97:D2:D9:04:9D:53:CF:5D:5A:36:32:34:C2:15:BE:F7:34:05:06
2023-04-05T18:00:47+02:00 [CERT] DEBUG: [Last] BC:97:D2:D9:04:9D:53:CF:5D:5A:36:32:34:C2:15:BE:F7:34:05:06
2023-04-05T18:00:47+02:00 [MONITOR] DEBUG: [cert-test] call checkCertExpiryNotifications
2023-04-05T18:00:47+02:00 [SETTINGS] DEBUG: Get Setting (cache): tlsExpiryNotifyDays: 7,14,21
2023-04-05T18:00:47+02:00 [MONITOR] DEBUG: No need to send cert notification for server certificate "t6atmac08.local" (60 days valid) on 7 deadline.
2023-04-05T18:00:47+02:00 [MONITOR] DEBUG: No need to send cert notification for root CA certificate "uptime-kuma-pr-2594" (10 days valid) on 7 deadline.
2023-04-05T18:00:47+02:00 [MONITOR] DEBUG: No need to send cert notification for server certificate "t6atmac08.local" (60 days valid) on 14 deadline.
2023-04-05T18:00:47+02:00 [MONITOR] DEBUG: call sendCertNotificationByTargetDays for 14 deadline on certificate uptime-kuma-pr-2594.
2023-04-05T18:00:47+02:00 [MONITOR] DEBUG: Send certificate notification
2023-04-05T18:00:47+02:00 [MONITOR] DEBUG: Sending to cert-expiry
2023-04-05T18:00:47+02:00 [MONITOR] DEBUG: No need to send cert notification for server certificate "t6atmac08.local" (60 days valid) on 21 deadline.
2023-04-05T18:00:47+02:00 [MONITOR] DEBUG: call sendCertNotificationByTargetDays for 21 deadline on certificate uptime-kuma-pr-2594.
2023-04-05T18:00:47+02:00 [MONITOR] DEBUG: Send certificate notification
2023-04-05T18:00:47+02:00 [MONITOR] DEBUG: Sending to cert-expiry
2023-04-05T18:00:47+02:00 [MONITOR] DEBUG: [cert-test] Check isImportant
2023-04-05T18:00:47+02:00 [MONITOR] DEBUG: [cert-test] sendNotification
2023-04-05T18:00:47+02:00 [MONITOR] DEBUG: [cert-test] apicache clear
2023-04-05T18:00:47+02:00 [MONITOR] DEBUG: Monitor #5 'cert-test': Successful Response: 8 ms | Interval: 60 seconds | Type: http
2023-04-05T18:00:47+02:00 [MONITOR] DEBUG: [cert-test] Send to socket
2023-04-05T18:00:47+02:00 [UPTIMECACHELIST] DEBUG: clearCache: 5
2023-04-05T18:00:47+02:00 [MONITOR] DEBUG: [cert-test] Store
2023-04-05T18:00:47+02:00 [MONITOR] DEBUG: [cert-test] prometheus.update
2023-04-05T18:00:47+02:00 [MONITOR] DEBUG: [cert-test] SetTimeout for next check.

@skaempfe
Copy link
Contributor Author

skaempfe commented Apr 5, 2023

Well, just came across this idea:
you do not really need a custom CA.
Just go to the general settings of uptime-kuma -> notifications -> TLS Certificate Expiry
and define a new threshold above the expiry date of some ca You are using.

as reference:
https://demo.uptime.kuma.pet:27000/
has a server cert expiring in 1 month, ~ 12 days.
the sub ca "R3" from Let's Encrypt has an expiry date of 2025-09-15 - that's roundabout 894 days. A threshold of 900 days should trigger an alert for the R3 (sub ca) but not for the root ca (ISRG Root X1 / valid until 2035).
This should trigger the server cert also as it would be within that threshold window.

Today's uptime-kuma will only trigger an alert fort the server cert. This patch here will also trigger an separate alert for each intermediate or root ca within expiry threshold.

@louislam
Merge remote-tracking branch 'origin/master' into skaempfe#2593
0b8dddb 
# Conflicts:
#	server/model/monitor.js
#	src/pages/Details.vue
@louislam
Resolve conflict
8ed2b59
@louislam louislam merged commit 0735f12 into louislam:master May 28, 2023
16 checks passed
@stefanux
Copy link
Sponsor

greatly appreciated 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
1.22.0
Development

Successfully merging this pull request may close these issues.

[Improvement] Support TLS Expiry alerts also for CA certs in cert chain
3 participants
@skaempfe @louislam @stefanux