Skip to content

v2.0.0
Compare
Choose a tag to compare
@ferringb ferringb released this 17 Jul 17:05
v2.0.0
863b635

certmgr 2.0.0

This release breaks API compatibility with certmgr-1.x and has much more strict
validation logic for what certmgr tolerates.

Specifically:

  • certmgr daemon configuration must now be yaml- json is no longer supported.
  • Spec's must now define their notification mechanism- actions- fully. If a spec
    lacks svcmgr or action or service- this is fine, it just means nothing is
    notified. If any of those are specified, then the resultant configuration must
    be validly parsed by the svcmgr that is targeted.
  • Spec's are now strictly validated; unknown/unsupported fields in a spec is now
    a parse error that will prevent usage of the spec. Typo's will be caught, is the
    short version.

There has been significant enhancement to the handling of on disk PKI since 1.6.4.
Major improvements are thus:

  • Ondisk PKI content- CA, cert, key- are all now fully validated. Cert and key are
    checked to confirm they're a valid keypair; cert is checked to confirm it still is
    signed by the current CA. On disk CA is checked to ensure it's the actual remote CA; etc.
    In particular, key algorithm and size are now also validated- certmgr will now detect
    if they're no longer matching the spec and it will force regeneration.
  • Via the previous change, mtime checks are no longer relied upon. This- and the above-
    removes the source of all known false positive "force a regeneration" events for
    certmgr.
  • Certmgr no longer can trigger two actions for when a CA and cert/key has changed; it
    now only triggers a single action once PKI content is updated for both.
  • Certmgr now opportunistically tries to renew cert/key when the CA has changed; the
    goal is to maximize the lifespan of the new content since we already have to trigger
    a notification of the consuming service.

Finally, other major improvements that aren't PKI related:

  • yaml is now properly supported for spec definitions. It's much more human readable,
    thus it's our recommendation to use that format if at all possible.
  • metrics were rewritten in full. Each spec now has basic metrics exported indicated
    expiry time, event counts for maintainance of the spec, failure counts, etc. It
    should be possible to now have sane operational monitoring of certmgr, including
    alerting.
  • certmgr now longer has a permission race for content it writes to disk- previous
    versions had a small window where the PKI content could have the certmgr user as the
    owner, rather than the specified user. All PKI content is now atomically renamed into
    place, thus this window is gone.
  • Initial steps were taken towards structured logging for certmgr; it's now possible
    to enable json logging if desired. Future certmgr releases will improve the internal
    logging to be more structure orientated.
Assets 24
Loading