[SERVER-15494] Certification expiration warning improvements Created: 01/Oct/14  Updated: 06/Dec/22

Status: Backlog
Project: Core Server
Component/s: Security
Affects Version/s: 2.7.6
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Hannes Magnusson Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: 28qa, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Gantt Dependency
Related
is related to SERVER-10961 Warn if a server certificate is about... Closed
Assigned Teams:
Server Security
Participants:

 Description   

As of 2.7 we issue warning for long running mongod that the certificate it is using is about to expire.

When starting mongod with a certificate about to be expire we issue no such warning until 24hours after launching mongod.
The warning should be printed into the startupLog at startup, which also makes it visible in MMS.

Furthermore, once the certificate expires (on a running mongod) mongod will happily continue to run (issuing a warning message that the certificate is expired into the logs) - and leaves it up to the clients to decide on trusting the certificate or not.
If mongod is restarted for any reason - it will not startup again. It will abort due to expired certificate.
This seems very inconsistent and unexpected behaviour. There should be a way to --i-know-its-expired-but-I-must-startup-mongod


Generated at Thu Feb 08 03:38:10 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.