Deadline for certificate expiration check should be configurable #17306
Description
How to use GitHub
- Please use the 👍 reaction to show that you are interested into the same feature.
- Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
- Subscribe to receive notifications on status change and new comments.
Feature request
Which Nextcloud Version are you currently using: (see administration page)
32.0.6
Is your feature request related to a problem? Please describe.
I've recently switched to LetEncrypt's shortlived certificates (160h = a bit over 6 days) which I renew every 4 days. However, I now get warnings that my certificates for the TURN/STUN servers will expire in 3 days.
That warning would actually be useful if it were to expire in say 1 day because then something has gone wrong (though I have other checks that will notify me), but at the current state the warning is less than useless because I will just ignore them ("the boy who cried wolf" scenario).
Checking the source code, the deadline seems to be hardcoded to 10 days (so even a certificate that has just been renewed would trigger it), with no way to change it or turn it off besides manually disabling the background job.
Describe the solution you'd like
A way to configure the amount of days/hours before expiry that should trigger a warning. As an added bonus, it would be nice if it could be made to also check the NC server's certificate as well, not just the TURN/signaling/recording servers.
Describe alternatives you've considered
Manually disabling the OCA\Talk\BackgroundJob\CheckCertificates background job with OCC
Additional context
To quote LetsEncrypt
Short-lived certificates improve security by requiring more frequent validation and reducing reliance on unreliable revocation mechanisms. If a certificate’s private key is exposed or compromised, revocation has historically been the way to mitigate damage prior to the certificate’s expiration. Unfortunately, revocation is an unreliable system so many relying parties continue to be vulnerable until the certificate expires, a period as long as 90 days. With short-lived certificates that vulnerability window is greatly reduced.