[TLS] Check if provided certificate is valid

[tolusha]

Is your task related to a problem? Please describe.

If invalid certificate was used then Eclipse Che deployed fail.
It is better to add preflight check and warn an user.

Describe the solution you'd like

Add basic check for the certificate:

• due date
• domain

[mmorhun]

I've taken a quick look at this issue.
Here we need to consider various aspects before complete implementation of the problem.
The steps, which I think, we should take:
Check cluster family.

• If it is Kubernetes then:

  1. Check if the certificate is present. If not, just skip this check and a valid certificate will be generated automatically.
  2. If a certificate is present (self-signed (or signed by self-signed CA) or not) we should read it and analyze at least basic requirements:
     • check that certificate domain is suitable for our cluster
     • check that certificate due dates are ok (not before, not after).

• If it is Openshift family, we reuse router certificate for Che endpoints securing. We may check router certificate in two ways:

  1. If we have cluster admin rights, we might read the router certificate and follow instruction as described in step 2 for Kubernetes platform.
  2. If we don't have cluster admin rights, the only way to check is to create a simple server and expose its endpoint via a route and then try to query it. Here we have to be careful to not to distrust self-signed certificates immediately. We need to do deeper analyzation with steps described in Kubernetes flow (the difference is that the certificate is obtained via query, not from the secret).

We may try to generalize the solution by creating a simple server with exposing ingress/route and the analyze the certificate in the identical way. This brings unneeded complexity for pure Kubernetes infras, but gives us a single way of resolving the problem.

I've quickly looked at the certificate analyzation problem and may say that we definitely need to use some library to parse certificates (Often they have C++ backend with Nodejs bindings). One of such libs for Nodejs is node-x509. With help of it I was able to decode the certificate and see its fields.

P.S. As we've already implemented autogeneration of TLS certificates for Che installation this issue isn't urgent any more as it is applicable only if user wants to provide own certificates for Che installation instead of using generated by Che one.

[che-bot]

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.