Feature Request: Verbose output from nebula-cert verify

[AdamantUnstable]

At the moment the nebula-cert tool is very limited in terms of output, which can make troubleshooting difficult in some cases and makes it impossible to determine the expiry set on an existing certificate. nebula-cert -verify should print the expiry date - something like "Valid until xxx" if the cert is valid and "Invalid certificate, expired xxx" when invalid. There should also be a method to print the expiry set on a CA certificate directly.

[johnmaguire]

@AdamantUnstable I believe this is possible today with nebula-cert print -path ca.crt. You can use the -json line if you need specific fields. Then use something like jq to extract the field you care about.

❯ nebula-cert print -path ca.crt
NebulaCertificate {
	Details {
		Name: test ca - do not use
		Ips: [
			192.168.100.0/24
		]
		Subnets: []
		Groups: []
		Not before: 2023-07-31 16:08:16 -0400 EDT
		Not After: 2024-07-30 16:08:16 -0400 EDT
		Is CA: true
		Issuer:
		Public key: 2976767da3dc58eb47cfe733e7daf4531fa9cd2ee5a320e548c65487a251de1a
		Curve: CURVE25519
	}
	Fingerprint: d5978d6d54a58e4685551708c5f57fbdd3774be67d470ecb0033cf70bbf5fbb5
	Signature: 5fab5ddb6b175274fe750013ec9a7a306ee4334f7a563c9c31a799a453618802aa2752d21f44720d876027d08b05d8a9da7dd61089eebf1a184773baf681de06
}
❯ nebula-cert print -path ca.crt -json | jq
{
  "details": {
    "curve": "CURVE25519",
    "groups": [],
    "ips": [
      "192.168.100.0/24"
    ],
    "isCa": true,
    "issuer": "",
    "name": "test ca - do not use",
    "notAfter": "2024-07-30T16:08:16-04:00",
    "notBefore": "2023-07-31T16:08:16-04:00",
    "publicKey": "2976767da3dc58eb47cfe733e7daf4531fa9cd2ee5a320e548c65487a251de1a",
    "subnets": []
  },
  "fingerprint": "d5978d6d54a58e4685551708c5f57fbdd3774be67d470ecb0033cf70bbf5fbb5",
  "signature": "5fab5ddb6b175274fe750013ec9a7a306ee4334f7a563c9c31a799a453618802aa2752d21f44720d876027d08b05d8a9da7dd61089eebf1a184773baf681de06"
}

[AdamantUnstable]

Yeah, came across this later after figuring things out and moving on to unsafe routes. I do still think that verify should at least print the details that invalidate a cert (e.g. the date range a cert is valid for if it's expired), or at the very least the documentation for initial setup that mentions verify should also mention the print function to then check the details for why a cert is invalid, as new users who do run into cert issues are going to wind up following the documentation for new setup which mentions nothing about the print function.

[johnmaguire]

@AdamantUnstable verify is mostly meant to be used with automated tooling to detect issues before restarting the nebula process.

print is mentioned here: https://nebula.defined.net/docs/guides/sign-certificates-with-public-keys/#transfer-the-public-key-and-sign-a-new-certificate

I don't see a mention of verify in the README or Nebula docs site. Can you point me to where you were thinking we might add information about print?