User story: As an Admin installed PMM, I need to have "more correct" certificates inside PMM, so they are self-signed but do not cause an additional warning by security tools because they are outdated
UI/UX: N/A
Acceptance criteria
Installed or updated version of PMM always have not-expired self-signed sertificates
A special precaution should be taken not to replace the public certificate the user may have mounted to /srv/nginx/ directory;
Out of scope:
UI for certificate management
Integration with let's encrypt or related service
Suggested implementation: TBD
How to test: TBD
Details: TBD
For testing purposes, I've installed through docker PMM v. 2.11.0 which was released back in Oct 2020.
User story:
As an Admin installed PMM, I need to have "more correct" certificates inside PMM, so they are self-signed but do not cause an additional warning by security tools because they are outdated
UI/UX:
N/A
Acceptance criteria
Installed or updated version of PMM always have not-expired self-signed sertificates
A special precaution should be taken not to replace the public certificate the user may have mounted to
/srv/nginx/directory;Out of scope:
UI for certificate management
Integration with let's encrypt or related service
Suggested implementation:
TBD
How to test:
TBD
Details:
TBD
For testing purposes, I've installed through docker PMM v. 2.11.0 which was released back in Oct 2020.
https://www.percona.com/doc/percona-monitoring-and-management/2.x/release-notes/2.11.0.html
This is what the self signed certificate was reporting as an expiration date
[centos@ip-192-168-2-206 ~]$ echo -n | openssl s_client -connect 127.0.0.1:443 | openssl x509 -noout -dates depth=0 O = Main Org. verify error:num=18:self signed certificate verify return:1 depth=0 O = Main Org. verify error:num=10:certificate has expired notAfter=Oct 14 16:50:17 2021 GMT verify return:1 depth=0 O = Main Org. notAfter=Oct 14 16:50:17 2021 GMT verify return:1 DONE notBefore=Oct 14 16:50:17 2020 GMT notAfter=Oct 14 16:50:17 2021 GMTso it appears that certificate is valid for 365 days only.
I've then performed an upgrade through the UI from 2.11.0 to 2.23.0
2.23.0 was released on Oct 2021
https://www.percona.com/doc/percona-monitoring-and-management/2.x/release-notes/2.23.0.html
Checking the certificate again it seems that this was not renewed
[centos@ip-192-168-2-206 ~]$ echo -n | openssl s_client -connect 127.0.0.1:443 | openssl x509 -noout -dates depth=0 O = Main Org. verify error:num=18:self signed certificate verify return:1 depth=0 O = Main Org. verify error:num=10:certificate has expired notAfter=Oct 14 16:50:17 2021 GMT verify return:1 depth=0 O = Main Org. notAfter=Oct 14 16:50:17 2021 GMT verify return:1 DONE notBefore=Oct 14 16:50:17 2020 GMT notAfter=Oct 14 16:50:17 2021 GMTI would expect / suggest:
Default certificates to get auto-renewed if these are going to expire (even without an upgrade)
Default certificates to be replaced when an upgrade happens