Certificate Expiration Notification

[jeremias.winter]

Hello everyone,

first time posting here, so if this is the wrong topic, please feel free to move the thread.

I have a question that was asked on this forum once before (https://forum.opnsense.org/index.php?topic=10860.0), but got no replies/answers. It's pretty simple:
"Is there a way to get notified when certificates are about to expire?"

In our case (as was in the post linked above), it's about SSL certificates used for VPN. It would be a good idea for other certificates too, I guess.

Thanks and regards

[Patrick M. Hausen]

I am not aware of any mechanism in OPNsense. But there are of course mechanisms outside of the product.

• Commercial CAs usually send you an email when a certificate is about to expire.
• Letsencrypt sends you email when a certificate is about to expire.
• Icinga, Nagios, Zabbix ... can check certificates online and warn you when they are about to expire.

That's more than enough choices for our use cases.

[jeremias.winter]

Thanks for the reply!

While those mechanisms you mention definitely work "outside of the product", we use internal certificates generated by OPNsense for the VPN accounts of our employees.

I guess we have to schedule notifications in our calendar then :-/

[gyterpena]

I know this is bit old, but I just wrote this ugly thing to email us 28-61days before certs expire.
It's run weekly by cron from our ansible host.
You need to set up ssh key auth for scp and make sure firewall names in declare resolve.

[Reiner030]

Even this topic is over one year old, ist still has an important reason to implement such expire notifcation like it is implemented since ages in pfSense already.

One good reason was mentioned already - the internal CA can't be monitored by either external CA services.
Additional there is no "check_cert" from Nagios/Icinga/Check_MK or other monitoring system which can check the CA validation because it can only check the server certificate itself.
Also client certificates can't be checked - neither on the firewall nor on all needed "client devices" .


EDIT: The notifications seems "only" implemented since Aug 2019:
https://redmine.pfsense.org/issues/9703
But I knew that already 10 years ago on the certificate page certificates with short expiry times where marked to find them to be easily renewed...

[mcdeltat]

Posting to put another name behind the request.

I run OpnSense for personal use at home to learn networking. I've been running it for about 3 years now. The lack of notifications has bitten me in the butt multiple times, every single year. I've been meaning to request it, literally every single year.

I just spent 5+ hours troubleshooting my OpenVPN setup. I knew the client (user) certificate was expired so I generated a new one. I was reading logs, troubleshooting my DDNS, all kinds of things. Then I decided just to nuke and go again. Then I realized my CA only has a 2-year expiration, so generating new client certificates was never going to work. This already happened to me twice because the default for CAs is 1 year, if I'm not mistaken. So I caught it in the first year, and now in year three. I'll be setting up notifications, monitoring, or something with Ansible.

There are so many ways the user story can be made better here. For example:
1. Use CSS to color expired certificates or CAs to draw the user to that section.
2. When generating client certificates using a self-signed CA, throw an error when the CA is expired.
3. Improve logging to say that it's expired and not just generic "TLS Peer Certificate Validation Failed" or things like that.

These would at least cut down on my 5 hour troubleshooting session and make this less painful when people do forget.