Skip to content

Clarify how warnings about soon-to-expire SSL certificates are reported #45564

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wilkinsona opened this issue May 15, 2025 · 1 comment
Open

Clarify how warnings about soon-to-expire SSL certificates are reported #45564

wilkinsona opened this issue May 15, 2025 · 1 comment
Labels
status: blocked An issue that's blocked on an external project change type: documentation A documentation update
Milestone
3.4.x

Comments

@wilkinsona
Copy link
Member

Related to #44650, the documentation about the current behavior is not clear about how warnings for soon-to-expire SSL certificates will be reported.

For health, the documentation says:

spring-boot/spring-boot-project/spring-boot-docs/src/docs/antora/modules/reference/pages/actuator/endpoints.adoc

Lines 674 to 676 in 6aad225

TIP: The `ssl` javadoc:org.springframework.boot.actuate.health.HealthIndicator[] has a "warning threshold" property named configprop:management.health.ssl.certificate-validity-warning-threshold[].
If an SSL certificate will be invalid within the time span defined by this threshold, the javadoc:org.springframework.boot.actuate.health.HealthIndicator[] will warn you but it will still return HTTP 200 to not disrupt the application.
You can use this threshold to give yourself enough lead time to rotate the soon to be expired certificate.

The implementation doesn't really produce a warning, but one can be inferred from the status of a certificate. Specifically, details.validChains.certificates.[*].validity.status will be WILL_EXPIRE_SOON. If details are not enabled, it appears that the warning is hidden.

For info, the documentation says:

spring-boot/spring-boot-project/spring-boot-docs/src/docs/antora/modules/reference/pages/actuator/endpoints.adoc

Line 1259 in 6aad225

The `info` endpoint publishes information about your SSL certificates (that are configured through xref:features/ssl.adoc#features.ssl.bundles[SSL Bundles]), see javadoc:org.springframework.boot.info.SslInfo[] for more details. This endpoint reuses the "warning threshold" property of javadoc:org.springframework.boot.actuate.ssl.SslHealthIndicator[]: if an SSL certificate will be invalid within the time span defined by this threshold, it will trigger a warning. See the `management.health.ssl.certificate-validity-warning-threshold` property.

Similar to health, the implementation doesn't really produce a warning, but one can be inferred once again. Specifically, ssl.bundles.[*].certificateChains.[*].certificates.[*].validity.status will be WILL_EXPIRE_SOON.

We need to improve the documentation to describe how to identify the warning in the response. We may want to keep #44560 in mind when doing so as the current plan is that the concept of WILL_EXPIRE_SOON will be removed from the info side of things.
@wilkinsona wilkinsona added this to the 3.4.x milestone May 15, 2025
@wilkinsona wilkinsona added type: documentation A documentation update for: team-meeting An issue we'd like to discuss as a team to make progress labels May 15, 2025
@wilkinsona
Copy link
Member Author

Blocked by #45568.

@wilkinsona wilkinsona added status: blocked An issue that's blocked on an external project change and removed for: team-meeting An issue we'd like to discuss as a team to make progress labels May 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: blocked An issue that's blocked on an external project change type: documentation A documentation update
Projects
None yet
Milestone
3.4.x
Development

No branches or pull requests
1 participant
@wilkinsona