Skip to content

feat: add certificate renewal service #3523

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 17, 2025
Merged

feat: add certificate renewal service #3523

merged 1 commit into from
Apr 17, 2025

Conversation

reubenmiller
Copy link
Contributor

@reubenmiller reubenmiller commented Apr 1, 2025
edited
Loading

Proposed changes

Add certificate renewal service which is a dependency of the tedge-mapper-c8y service (and its systemd template variant).

The renewal is called by the systemd components (timer and script), however a script has been created to reliably renew the certificate and verify it and roll back to the previous certificate if necessary.

Note: The certificate renewer service will be installed and enabled by default when using the tedge-mapper-c8y service. However the renewal will fail if the user has not activated the new Cumulocity certificate-authority feature.

Types of changes

  • Bugfix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Improvement (general improvements like code refactoring that doesn't explicitly fix a bug or add any new functionality)
  • Documentation Update (if none of the other choices apply)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Paste Link to the issue


Checklist

  • I have read the CONTRIBUTING doc
  • I have signed the CLA (in all commits with git commit -s. You can activate automatic signing by running just prepare-dev once)
  • I ran just format as mentioned in CODING_GUIDELINES
  • I used just check as mentioned in CODING_GUIDELINES
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Further comments

@reubenmiller reubenmiller temporarily deployed to Test Pull Request April 1, 2025 17:32 — with GitHub Actions Inactive
@reubenmiller reubenmiller added the theme:certificates Theme: Device certificate topics label Apr 1, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 1, 2025
edited
Loading

Robot Results

✅ Passed ❌ Failed ⏭️ Skipped Total Pass % ⏱️ Duration
613 0 3 613 100 1h43m40.650339s

@codecov Codecov
Copy link

codecov bot commented Apr 11, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

📢 Thoughts on this report? Let us know!

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@reubenmiller reubenmiller temporarily deployed to Test Pull Request April 17, 2025 08:53 — with GitHub Actions Inactive
@reubenmiller reubenmiller marked this pull request as ready for review April 17, 2025 08:56
@reubenmiller reubenmiller requested review from rina23q and a team as code owners April 17, 2025 08:56
didier-wenzek
didier-wenzek approved these changes Apr 17, 2025
View reviewed changes
Copy link
Contributor

@didier-wenzek didier-wenzek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved. Nice to see that no more script is required to wrap tedge cert.

configuration/init/systemd/tedge-cert-renewer@.timer
Comment on lines +12 to +13
; Always run the timer on time
AccuracySec=1us
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Surprising to have such a precise accuracy for randomized delays, but indeed recommended.

tests/RobotFramework/tests/cumulocity/registration/cumulocity_ca.robot
Execute Command tedge reconnect c8y

# Enforce a renewal using the service
Execute Command sudo tedge config set certificate.validity.minimum_duration 365d
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Smart way to force a renewal without hacking the service nor the certificate :-)

@reubenmiller
add certificate renewer timer and service
3b2217b 
Signed-off-by: reubenmiller <reuben.d.miller@gmail.com>
@reubenmiller reubenmiller temporarily deployed to Test Pull Request April 17, 2025 11:41 — with GitHub Actions Inactive
@reubenmiller reubenmiller added this pull request to the merge queue Apr 17, 2025
Merged via the queue into thin-edge:main with commit 3e0f3f3 Apr 17, 2025
34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@didier-wenzek didier-wenzek didier-wenzek approved these changes

@rina23q rina23q Awaiting requested review from rina23q rina23q is a code owner

Assignees
No one assigned
Labels
theme:certificates Theme: Device certificate topics
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@reubenmiller @didier-wenzek