Uploaded image for project: 'Fabric'
  1. Fabric
  2. FAB-17000

Provide notification to users if certs are about to expire



    • Unset
    • Unset
    • Unset
    • Yes


      There are a lot of certs to keep up with in fabric and when they expire, it's exceedingly bad.

      The issue is fabric does nothing to help with this that I've seen.

      I have heard that with Raft, the orderer will log when the raft TLS certs are about to expire.  Can the same be done for enrollment certs for all components?


      One possible issue here is if every component is logging cert expiration warnings, that could get pretty chatty in the logs.  My counter argument here is if it were my prod environment and the certs were about to expire, I think I would want it to be pretty chatty.  Also I think we could limit the time that the logging starts to maybe 1 week before the certs expire?  I think if you get that close, you'd want to be notified even if it's noisy.


      Another better option if it's possible might be to provide a metric for cert expiration time.

      Then a user could monitor this in a graph and set alerts if it gets below a certain threshold and also control how they get alerted based on the remaining time (page if < 1 week, slack if < 2 weeks for example)  Finally, the metrics approach would cause much less noise than the logs.


      The holy grail might be to do both, since metrics is better, but requires more knowledge by the operator to enable, whereas logs you get pretty much for free.


        Issue Links



              yacovm Yacov Manevich
              ptippett Paul Tippett
              0 Vote for this issue
              6 Start watching this issue