Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nginx,acme: make sensu checks work for non-HTTPS usage #1333

Draft
wants to merge 1 commit into
base: fc-24.11-dev
Choose a base branch
from
Draft

nginx,acme: make sensu checks work for non-HTTPS usage #1333

wants to merge 1 commit into from

Conversation

dpausp
Copy link
Member

@dpausp dpausp commented Mar 11, 2025
edited
Loading

There are two separate Sensu checks for ACME certificate validity now:

The existing Sensu check which uses check_http is now generated per Nginx vhost when ACME is enabled. It is renamed to nginx_https_${vhost_name}. ACME.

Another Sensu check is generated for all ACME certs, using the openssl command which works in the local file system, independently of Nginx. This check has the name of the existing check ssl_cert_${cert_name}.

PL-131278

@flyingcircusio/release-managers

Release process

  • Created changelog entry using ./changelog.sh

PR release workflow (internal)

  • PR has internal ticket
  • internal issue ID (PL-…) part of branch name
  • internal issue ID mentioned in PR description text
  • ticket is on Platform agile board
  • ticket state set to Pull request ready
  • if ticket is more urgent than within the next few days, directly contact a member of the Platform team

Design notes

  • Provide a feature toggle if the change might need to be adjusted/reverted quickly depending on context. Consider whether the default should be on or off. Example: rate limiting.
  • All customer-facing features and (NixOS) options need to be discoverable from documentation. Add or update relevant documentation such that hosted and guided customers can understand it as well.

Security implications

@dpausp dpausp force-pushed the PL-131278-ssl-checks-non-https branch from 541c395 to 7e8ea23 Compare March 11, 2025 13:16
@dpausp
nginx, acme: make sensu checks work for non-HTTPS usage
c3709e0 
There are two separate Sensu checks for ACME certificate validity now:

The existing Sensu check which uses check_http is now generated per Nginx vhost when ACME is enabled. It is renamed to `nginx_https_${vhost_name}`.
ACME.

Another Sensu check is generated for all ACME certs, using the openssl command which works in the local file system, independently of  Nginx. This check has the name of the existing check `ssl_cert_${cert_name}`.

PL-131278
@dpausp dpausp force-pushed the PL-131278-ssl-checks-non-https branch from 7e8ea23 to c3709e0 Compare March 11, 2025 13:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@dpausp