English Forums > Virtual private networks

Certificate Expiration Notification

(1/2) > >>

jeremias.lubberger:
Hello everyone,

first time posting here, so if this is the wrong topic, please feel free to move the thread.

I have a question that was asked on this forum once before (https://forum.opnsense.org/index.php?topic=10860.0), but got no replies/answers. It's pretty simple:
"Is there a way to get notified when certificates are about to expire?"

In our case (as was in the post linked above), it's about SSL certificates used for VPN. It would be a good idea for other certificates too, I guess.

Thanks and regards

Patrick M. Hausen:
I am not aware of any mechanism in OPNsense. But there are of course mechanisms outside of the product.

* Commercial CAs usually send you an email when a certificate is about to expire.
* Letsencrypt sends you email when a certificate is about to expire.
* Icinga, Nagios, Zabbix ... can check certificates online and warn you when they are about to expire.
That's more than enough choices for our use cases.

jeremias.lubberger:
Thanks for the reply!

While those mechanisms you mention definitely work "outside of the product", we use internal certificates generated by OPNsense for the VPN accounts of our employees.

I guess we have to schedule notifications in our calendar then :-/

gyterpena:
I know this is bit old, but I just wrote this ugly thing to email us 28-61days before certs expire.
It's run weekly by cron from our ansible host.
You need to set up ssh key auth for scp and make sure firewall names in declare resolve.

Reiner030:
Even this topic is over one year old, ist still has an important reason to implement such expire notifcation like it is implemented since ages in pfSense already.

One good reason was mentioned already - the internal CA can't be monitored by either external CA services.
Additional there is no "check_cert" from Nagios/Icinga/Check_MK or other monitoring system which can check the CA validation because it can only check the server certificate itself.
Also client certificates can't be checked - neither on the firewall nor on all needed "client devices" .


EDIT: The notifications seems "only" implemented since Aug 2019:
https://redmine.pfsense.org/issues/9703
But I knew that already 10 years ago on the certificate page certificates with short expiry times where marked to find them to be easily renewed...

Navigation

[0] Message Index

[#] Next page

Go to full version