Fix wildcard cert handling + stale cert detection via TLS serial comparison#25
Merged
Fix wildcard cert handling + stale cert detection via TLS serial comparison#25
Conversation
…l comparison - Fix: wildcard certs stored as _.domain on disk but *.domain in Vault — the Vault KV lookup was always failing, so no wildcard cert ever got updated. NormalizeDomainForVault() converts _.foo → *.foo before any Vault call. - Fix: stale cert detection (pit138 scenario) — if Vault has a freshly renewed cert but HAProxy is still serving the old one, shouldUpdateCertificate() returned false (Vault cert not expiring). Serial comparison via TLS dial to the HAProxy HTTPS frontend now catches this case and triggers a push. - Add: certificatee_certificates_wildcard_total metric to track how many HAProxy endpoints still have wildcard (*) certs in their pre-migration filename format. Useful for monitoring the _.domain migration on the Grafana dashboard. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Code Coverage ReportTotal Coverage: Coverage by function |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix wildcard cert Vault lookup — HAProxy stores wildcard certs as
_.domain.pemon disk, but certificator stores them in Vault as*.domain.shouldUpdateCertificatewas doing a Vault lookup with_.domainwhich always returned not found, so wildcard certs were never updated. AddedNormalizeDomainForVault()to convert_.foo → *.foobefore any Vault call.Fix stale cert detection (pit138 scenario) — If Vault has a freshly renewed cert but HAProxy is still serving the expired one,
shouldUpdateCertificatereturned false (the Vault cert isn't expiring). AddedcheckSerialMismatch()which TLS-dials the HAProxy HTTPS frontend (host:443, same node as DPAPI), reads the live X.509 cert, and compares its serial to the Vault cert. If they differ → push. This bypasses DPAPI storage endpoint path normalization issues entirely.Add
certificatee_certificates_wildcard_totalmetric — Counts how many certs per endpoint still have*in their storage name (pre-migration format). Used on the Grafana dashboard to track the*.domain → _.domainRundeck migration progress.Files changed
pkg/certmetrics/metrics.go— newCertificatesWildcardgaugepkg/haproxy/client.go—GetServedCertificate(),NormalizeDomainForVault(),httpsHost()cmd/certificatee/main.go— domain normalization, wildcard count, serial mismatch checkTest plan
nix develop --command check) passescertificatee_certificates_wildcard_totalappears in VictoriaMetrics🤖 Generated with Claude Code