// Copyright (c) HashiCorp, Inc. // SPDX-License-Identifier: BUSL-1.1 package troubleshoot import ( "fmt" "time" envoy_admin_v3 "github.com/envoyproxy/go-control-plane/envoy/admin/v3" "github.com/hashicorp/consul/troubleshoot/validate" "google.golang.org/protobuf/encoding/protojson" ) func (t *Troubleshoot) validateCerts(certs *envoy_admin_v3.Certificates) validate.Messages { var certMessages validate.Messages // TODO: we can probably warn if the expiration date is close now := time.Now() if certs == nil { msg := validate.Message{ Success: false, Message: "Certificate object is nil in the proxy configuration", PossibleActions: []string{ "Check the logs of the Consul agent configuring the local proxy and ensure XDS updates are being sent to the proxy", }, } return []validate.Message{msg} } if len(certs.GetCertificates()) == 0 { msg := validate.Message{ Success: false, Message: "No certificates found", PossibleActions: []string{ "Check the logs of the Consul agent configuring the local proxy and ensure XDS updates are being sent to the proxy", }, } return []validate.Message{msg} } for _, cert := range certs.GetCertificates() { for _, cacert := range cert.GetCaCert() { if now.After(cacert.GetExpirationTime().AsTime()) { msg := validate.Message{ Success: false, Message: "CA certificate is expired", PossibleActions: []string{ "Check the logs of the Consul agent configuring the local proxy and ensure XDS updates are being sent to the proxy", }, } certMessages = append(certMessages, msg) } } for _, cc := range cert.GetCertChain() { if now.After(cc.GetExpirationTime().AsTime()) { msg := validate.Message{ Success: false, Message: "Certificate chain is expired", PossibleActions: []string{ "Check the logs of the Consul agent configuring the local proxy and ensure XDS updates are being sent to the proxy", }, } certMessages = append(certMessages, msg) } } } return certMessages } func (t *Troubleshoot) getEnvoyCerts() (*envoy_admin_v3.Certificates, error) { certsRaw, err := t.request("certs?format=json") if err != nil { return nil, fmt.Errorf("error in requesting Envoy Admin API /certs endpoint: %w", err) } certs := &envoy_admin_v3.Certificates{} unmarshal := &protojson.UnmarshalOptions{ DiscardUnknown: true, } err = unmarshal.Unmarshal(certsRaw, certs) if err != nil { return nil, fmt.Errorf("error in unmarshalling /certs response: %w", err) } t.envoyCerts = certs return certs, nil }