Skip to content

Clarify how warnings about soon-to-expire SSL certificates are reported #45564

New issue
New issue
Open
Open
Clarify how warnings about soon-to-expire SSL certificates are reported#45564
Labels
status: blockedAn issue that's blocked on an external project changetype: documentationA documentation update
Milestone
3.4.x
@wilkinsona

Description

@wilkinsona
wilkinsona
opened on May 15, 2025

Related to #44650, the documentation about the current behavior is not clear about how warnings for soon-to-expire SSL certificates will be reported.

For health, the documentation says:

spring-boot/spring-boot-project/spring-boot-docs/src/docs/antora/modules/reference/pages/actuator/endpoints.adoc

Lines 674 to 676 in 6aad225

TIP: The `ssl` javadoc:org.springframework.boot.actuate.health.HealthIndicator[] has a "warning threshold" property named configprop:management.health.ssl.certificate-validity-warning-threshold[].
If an SSL certificate will be invalid within the time span defined by this threshold, the javadoc:org.springframework.boot.actuate.health.HealthIndicator[] will warn you but it will still return HTTP 200 to not disrupt the application.
You can use this threshold to give yourself enough lead time to rotate the soon to be expired certificate.

The implementation doesn't really produce a warning, but one can be inferred from the status of a certificate. Specifically, details.validChains.certificates.[*].validity.status will be WILL_EXPIRE_SOON. If details are not enabled, it appears that the warning is hidden.

For info, the documentation says:

spring-boot/spring-boot-project/spring-boot-docs/src/docs/antora/modules/reference/pages/actuator/endpoints.adoc

Line 1259 in 6aad225

The `info` endpoint publishes information about your SSL certificates (that are configured through xref:features/ssl.adoc#features.ssl.bundles[SSL Bundles]), see javadoc:org.springframework.boot.info.SslInfo[] for more details. This endpoint reuses the "warning threshold" property of javadoc:org.springframework.boot.actuate.ssl.SslHealthIndicator[]: if an SSL certificate will be invalid within the time span defined by this threshold, it will trigger a warning. See the `management.health.ssl.certificate-validity-warning-threshold` property.

Similar to health, the implementation doesn't really produce a warning, but one can be inferred once again. Specifically, ssl.bundles.[*].certificateChains.[*].certificates.[*].validity.status will be WILL_EXPIRE_SOON.

We need to improve the documentation to describe how to identify the warning in the response. We may want to keep #44560 in mind when doing so as the current plan is that the concept of WILL_EXPIRE_SOON will be removed from the info side of things.

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: blockedAn issue that's blocked on an external project changetype: documentationA documentation update

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions