Credhub expires-within-days returns unexpected results

[benjaminguttmann-avtq]

What version of the credhub server you are using?

credhub --version
CLI Version: 2.9.0
Server Version: 2.9.0

What version of the credhub cli you are using?

credhub --version
CLI Version: 2.9.0
Server Version: 2.9.0

If you were attempting to accomplish a task, what was it you were attempting to do?

I was trying to receive a list certificates expiring within a configured number of days after we created new CA certificates with transitional flag=true.

credhub get -n <some_ca_cert> -k ca still shows the old CA because the transitional flag is configured for new CA.

curl 'https://example.com/api/v1/data?path=some-credential-path&expires-within-days=X'

does not show the expiring certs anymore even if the new CA is just transitional.

What did you expect to happen?

I would expect the endpoint to provide same information as the credhub get, which means if credhub get shows me the old CA value as current I would expect the expires-within-days to provide me a result that also takes the currently 'active' CA into account and not the new one.

What was the actual behavior?

After new CAs with transitional flag were created, the endpoint did not show any expiring certificates anymore.

I saw this note in the credhub api:

Note: If a certificate credential only has one version and it is marked as transitional the credential name will not be returned by this endpoint.

In our case we have 5 versions of the certificate including one version with transitional flag. So I would think we should receive the expiry information.

Please confirm where necessary:

• I have included a log output
• My log includes an error message
• I have included steps for reproduction

If you are a PCF customer with an Operation Manager (PCF Ops Manager) please direct your questions to support (https://support.pivotal.io/)

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/177376438

The labels on this github issue will be updated when the story is started.

[bruce-ricard]

Hi @benjaminguttmann-avtq , thank you for the report.

We wondering what curl 'https://example.com/api/v1/data?path=some-credential-path' returns in the case of that certificate that has been regenerated with the transitional=true flag. Does it return the old version or the newly regenerated one?

We understand that the UX is not ideal here, and if we had a lot of free time we would definitely work on improving it. The current state of this behavior is IMHO the following: The v1/data call with expires-within-days= is meant to inform the user of certificates that are about to expire. If a certificate is found with its latest version being transitional, CredHub is assuming that you are aware of that certificate because you appear to have started a rotation, and is hence not going to return it to you.

Did you happen to miss a certificate rotation because for some reason some certificate was marked as transitional and hence not returned by the API?

@staylor14 and I

[benjaminguttmann-avtq]

We wondering what curl 'https://example.com/api/v1/data?path=some-credential-path' returns in the case of that certificate that has been regenerated with the transitional=true flag. Does it return the old version or the newly regenerated one?

That actually returns the old version without transitional=true.

Did you happen to miss a certificate rotation because for some reason some certificate was marked as transitional and hence not returned by the API?

Kind of, we sometimes split up the different steps of a rotation to be done with a stemcell update and we missed one of the steps because our safety net (the monitoring of expiring certs) was just relying on the expires-within-days output.