Check if TLS certificate and key file have been modified #345
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
LeviHarrison
force-pushed
the
tls-roundtripper-check-cert-key
branch
from
4419fa0
to
546ae0d
Compare
|
I think we should only store the cert, you can not change the key without changing the cert. |
|
The issue with that would be if someone were to change only the key, yes, the TLS configuration would be invalid, but instead of getting (what I think would be) a |
LeviHarrison
force-pushed
the
tls-roundtripper-check-cert-key
branch
from
de05404
to
102c12a
Compare
roidelapluie
reviewed
Dec 1, 2021
config/http_config.go
Outdated
| } | ||
| h1 := sha256.Sum256(b1) | ||
|
|
||
| b2, b3, err := readCertAndKey(t.certFile, t.keyFile) |
There was a problem hiding this comment.
Where do we deal with unset certFile and t.keyFile?
There was a problem hiding this comment.
Could you please elaborate on what you mean by unset?
There was a problem hiding this comment.
Good point. A round tripper just isn't created if the CAFile is unset, but we can't do the same with the certFile and keyFile.
Lines 452 to 455 in 102c12a
|
We are also hitting this problem, anything we can help with to move the PR forward? |
|
Apologies, I just need to find time to work on this. |
|
@LeviHarrison do you want me to pick up the work? This bug is becoming a significant issue for us right now. |
Yes, I think you can review&rebase |
simonpasquier
force-pushed
the
tls-roundtripper-check-cert-key
branch
from
e06f022
to
9294f56
Compare
|
Rebased on top of main, I didn't change anything to the PR except for resolving the conflicts. Thanks a lot @LeviHarrison! |
Signed-off-by: Levi Harrison <git@leviharrison.dev> Signed-off-by: Simon Pasquier <spasquie@redhat.com>
Signed-off-by: Levi Harrison <git@leviharrison.dev> Signed-off-by: Simon Pasquier <spasquie@redhat.com>
Signed-off-by: Levi Harrison <git@leviharrison.dev> Signed-off-by: Simon Pasquier <spasquie@redhat.com>
Signed-off-by: Levi Harrison <git@leviharrison.dev> Signed-off-by: Simon Pasquier <spasquie@redhat.com>
Signed-off-by: Levi Harrison <git@leviharrison.dev> Signed-off-by: Simon Pasquier <spasquie@redhat.com>
This reverts commit c63387b. Signed-off-by: Levi Harrison <git@leviharrison.dev> Signed-off-by: Simon Pasquier <spasquie@redhat.com>
Signed-off-by: Levi Harrison <git@leviharrison.dev> Signed-off-by: Simon Pasquier <spasquie@redhat.com>
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
simonpasquier
force-pushed
the
tls-roundtripper-check-cert-key
branch
from
9294f56
to
d3fa312
Compare
|
@roidelapluie PTAL |
|
@roidelapluie friendly ping :) |
simonpasquier
added a commit
to simonpasquier/prometheus
that referenced
this pull request
Oct 26, 2022
When the TLS certificate (used by Prometheus to authenticate to the scraped targets) gets rotated, Prometheus doesn't pick up the new certificate until the connection to the target is re-established. Because Prometheus uses keep-alive HTTP connections, the consequence is that the scrapes start failing after about 1 day and the TargetDown alert fires. There's an upstream pull request [1] to address the issue but it isn't merged yet. This commit pulls the changes from [1] into our downstream fork by adding a replace directive to go.mod for the github.com/prometheus/common. The replacement code is under patches/github.com/prometheus/common which is the same version as upstream (v0.37.0) + the upstream PR applied on top of it. As soon as upstream Prometheus depends on a version of github.com/prometheus/common that fixes the issue, the replace directive in go.mod and the code under the patches/ directory can be removed. [1] prometheus/common#345 Signed-off-by: Simon Pasquier <spasquie@redhat.com>
simonpasquier
added a commit
to simonpasquier/prometheus
that referenced
this pull request
Oct 26, 2022
When the TLS certificate (used by Prometheus to authenticate to the scraped targets) gets rotated, Prometheus doesn't pick up the new certificate until the connection to the target is re-established. Because Prometheus uses keep-alive HTTP connections, the consequence is that the scrapes start failing after about 1 day and the TargetDown alert fires. There's an upstream pull request [1] to address the issue but it isn't merged yet. This commit pulls the changes from [1] into our downstream fork by adding a replace directive to go.mod for the github.com/prometheus/common. The replacement code is under patches/github.com/prometheus/common which is the same version as upstream (v0.37.0) + the upstream PR applied on top of it. As soon as upstream Prometheus depends on a version of github.com/prometheus/common that fixes the issue, the replace directive in go.mod and the code under the patches/ directory can be removed. [1] prometheus/common#345 Signed-off-by: Simon Pasquier <spasquie@redhat.com>
simonpasquier
added a commit
to simonpasquier/prometheus
that referenced
this pull request
Oct 26, 2022
When the TLS certificate (used by Prometheus to authenticate to the scraped targets) gets rotated, Prometheus doesn't pick up the new certificate until the connection to the target is re-established. Because Prometheus uses keep-alive HTTP connections, the consequence is that the scrapes start failing after about 1 day and the TargetDown alert fires. There's an upstream pull request [1] to address the issue but it isn't merged yet. This commit pulls the changes from [1] into our downstream fork by adding a replace directive to go.mod for the github.com/prometheus/common. The replacement code is under patches/github.com/prometheus/common which is the same version as upstream (v0.37.0) + the upstream PR applied on top of it. As soon as upstream Prometheus depends on a version of github.com/prometheus/common that fixes the issue, the replace directive in go.mod and the code under the patches/ directory can be removed. [1] prometheus/common#345 Signed-off-by: Simon Pasquier <spasquie@redhat.com>
simonpasquier
added a commit
to simonpasquier/prometheus
that referenced
this pull request
Oct 26, 2022
When the TLS certificate (used by Prometheus to authenticate to the scraped targets) gets rotated, Prometheus doesn't pick up the new certificate until the connection to the target is re-established. Because Prometheus uses keep-alive HTTP connections, the consequence is that the scrapes start failing after about 1 day and the TargetDown alert fires. There's an upstream pull request [1] to address the issue but it isn't merged yet. This commit pulls the changes from [1] into our downstream fork by adding a replace directive to go.mod for the github.com/prometheus/common. The replacement code is under patches/github.com/prometheus/common which is the same version as upstream (v0.37.0) + the upstream PR applied on top of it. As soon as upstream Prometheus depends on a version of github.com/prometheus/common that fixes the issue, the replace directive in go.mod and the code under the patches/ directory can be removed. [1] prometheus/common#345 Signed-off-by: Simon Pasquier <spasquie@redhat.com>
|
Thanks! |
openshift-cherrypick-robot
pushed a commit
to openshift-cherrypick-robot/prometheus
that referenced
this pull request
Nov 23, 2022
When the TLS certificate (used by Prometheus to authenticate to the scraped targets) gets rotated, Prometheus doesn't pick up the new certificate until the connection to the target is re-established. Because Prometheus uses keep-alive HTTP connections, the consequence is that the scrapes start failing after about 1 day and the TargetDown alert fires. There's an upstream pull request [1] to address the issue but it isn't merged yet. This commit pulls the changes from [1] into our downstream fork by adding a replace directive to go.mod for the github.com/prometheus/common. The replacement code is under patches/github.com/prometheus/common which is the same version as upstream (v0.37.0) + the upstream PR applied on top of it. As soon as upstream Prometheus depends on a version of github.com/prometheus/common that fixes the issue, the replace directive in go.mod and the code under the patches/ directory can be removed. [1] prometheus/common#345 Signed-off-by: Simon Pasquier <spasquie@redhat.com>
roidelapluie
added a commit
to roidelapluie/prometheus
that referenced
this pull request
Dec 8, 2022
- Check if TLS certificate and key file have been modified prometheus/common#345 - Add the ability to specify the maximum acceptable TLS version prometheus/common#414 Signed-off-by: Julien Pivotto <roidelapluie@o11y.eu>
radek-ryckowski
pushed a commit
to goldmansachs/common
that referenced
this pull request
May 18, 2023
radek-ryckowski
pushed a commit
to goldmansachs/common
that referenced
this pull request
May 22, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds the capability to check the hashes of the client certificate and key files to see if they've been modified, as is already done with the CA file.
Fixes prometheus/prometheus#9512