Allow configuring MAXIMUM_VALIDITY/IGNORE_MAXIMUM_VALIDITY for check_ssl_cert_options

Bug #2019107 reported by Mustafa Kemal Gilor
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Fix Released
Mustafa Kemal Gilor

Bug Description

This is another instance of false(?) CRITICAL errors raised by the check_ssl_cert, which is pretty similar to #2008190 and #1996123 LP bugs. The default configuration of check_ssl_cert enforces a maximum validity period of 397 days for all certificates and this causes CRITICAL errors to be raised, which makes the users uncomfortable:

SSL_CERT CRITICAL The certificate cannot be valid for more than 397 days (1080)|days_chain_elem1=271;270;269;; days_chain_elem2=271;270;269;; days_chain_elem3=2544;270;269;; days_chain_elem4=4709;270;269;;

We could add another boolean flag for enabling/disabling this check, and/or for altering the MAXIMUM_VALIDITY, but this will cause unnecessary clutter in the charm config options given that check_ssl_cert has a long list of options, and there may be future instances of false alerts related to check_ssl_cert's defaults.

So, my suggestion would be to add a `check-ssl-cert-extra-options` charm option that allows any combination of check_ssl_cert flags to be specified.

Related branches

Changed in charm-openstack-service-checks:
status: New → In Progress
assignee: nobody → Mustafa Kemal Gilor (mustafakemalgilor)
Changed in charm-openstack-service-checks:
status: In Progress → Fix Committed
Ashley James (dashmage)
Changed in charm-openstack-service-checks:
milestone: none → 23.07
Ashley James (dashmage)
Changed in charm-openstack-service-checks:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.