Where does ca expiry date comes from?

luitzifa · June 3, 2020, 9:36am

Problem:
The puppetca view in foreman shows that my ca will expire in 4 days.

Expected outcome:
openssl x509 -in /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem -text -noout |grep “Not After”
Not After : Aug 12 13:51:03 2029 GMT

I expect it to display “in 9 Years”

Foreman and Proxy versions:
Just updated everything to 1.24.3

Distribution and version:
Debian buster for foreman
Debian stretch for smart proxy

Where does the displayed information come from?

ekohl · June 3, 2020, 9:44am

It doesn’t really look at the CA because the Puppet CA doesn’t expose that info - it just gives you a list of certificates and expiration times. Foreman guesses the oldest certificate is the CA. As you can see, this is a flawed assumption.

luitzifa · June 3, 2020, 9:54am

Thanks for your fast reply and explanation. We had to renew our ca cert last year, so there are many many older certs lingering around now.

Bonus: I just found it in the code:

github.com

theforeman/foreman/blob/develop/app/services/proxy_status/puppetca.rb#L20




def find(name)
  certs.find { |c| c.name == name }
end


def find_by_state(state)
  certs.select { |c| c.state == state }
end


def expiry
  ca_cert = find_by_state('valid').select { |c| c.valid_from.present? }.min_by(&:valid_from)
  if ca_cert.present?
    ca_cert.expires_at
  else
    _("Could not locate CA certificate.")
  end
end


def sign(cert)
  revoke_cache!('/certs')
  api.sign_certificate(cert)

ekohl · June 3, 2020, 9:59am

Yep, that’s exactly it. AFAIK on the Foreman side it’s only used in the UI as a visual hint to the admin so it hasn’t been a priority to improve.