I would have found it useful to have been notified by email (if I was I didn't notice the message) that my certificate had expired or was due to do so soon. Finding out while I am trying to build packages isn't the most convenient time to deal with changing it, as some systems have a delay before getting the updated certificate.
I know dennis was working on a simple CLI tool that would re-get it after it had expired. I'm not sure of it's status though. CCing.
It might be that in my case it was more dealing with remembering the various things to rebuild the other files dependent on the new cert, more than delays in various services seeing the update. But either way, it would be nice to deal with this at a convenient time.
Is dennis still working on this? Does it still need to be worked on or in other words, is it still an issue? Exactly what certificates are being referred to? FAS public keys? I'm not in the packaging or releng groups so i'm just trying to ascertain what the afore-mentioned certificates are.
I believe it was the FAS certificate. I don't think ssh keys normally expire.
Updated FAS certificates should be usable immediately (ssh keys have a delay in propagating to hosts).
Dennis wrote fedora-cert (yum install fedora-cert) which is built from the fedora-packager source package.
Notification of cert expiry hasn't been done but would take some effort. Currently, fas is really just pointing you at how to get a cert. That cert is generated by an external script which keeps track of valid certs and revocations. The fas server itself doesn't know about any of that information.
This might also block on ticket:466
We can do this now via fedmsg.
Since a fedmsg is emitted when someone gets a new cert, and all certs are valid for 6 months, we can have a script that runs a datagrepper query from a cron (daily?) and mails all the people who's certs will expire in 1 week or something.
I wrote something to do this:
https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/koji_reminder/files/koji-cert-reminder.py
Since none of us remembered this, we should probably go over the setup surrounding it with a fine-toothed comb to make sure its working correctly (or see if it needs to be enabled, or...).
It is deployed to sundries01 via the playbooks/groups/sundries.yml playbook, but for some reason, /var/log/koji-cert-reminder.log was empty when I went to look at it.
I inspected the playbook and the role, but nothing seemed odd. I made a number of cosmetic improvements so the logs will be hopefully more helpful next time around.
It is currently set to run weekly. We should check back on the logs in 1 week and see if it completed successfully via cron.
ok, we sorted out why this wasn't running and fixed it. It should be in place now. ;)
Login to comment on this ticket.