Skip to main content

SSL/TLS Certificates Collection

SSL/TLS Certificates Collection Collector

To collect certificate chain data on the host, use the certificatesCollection collector.

Unlike the certificate collector, which is designed to collect a specific certificate key pair, the certificatesCollection collector focuses on collecting a collection of certificates from multiple file paths.

Parameters

In addition to the shared collector properties, the certificatesCollection collector accepts the following parameters:

paths (Required)

Includes multiple file paths for certificates on the host.

Example Collector Definition

apiVersion: troubleshoot.sh/v1beta2
kind: SupportBundle
metadata:
name: certificates
spec:
hostCollectors:
- certificatesCollection:
paths:
- /Users/ubuntu/apiserver-kubelet-client.crt
- /etc/ssl/corp.crt

Included Resources

The results of the certificatesCollection collector are stored in the host-collectors/certificatesCollection directory of the support bundle.

[collector-name].json

If the collectorName field is not specified, it will be named certificatesCollection.json.

Example of the resulting file:

[
{
"certificatePath": "/Users/ubuntu/apiserver-kubelet-client.crt",
"certificateChain": [
{
"certificate": "",
"subject": "CN=kubernetes",
"subjectAlternativeNames": [
"kubernetes"
],
"issuer": "CN=kubernetes",
"notAfter": "2033-04-17T06:11:21Z",
"notBefore": "2023-04-20T06:11:21Z",
"isValid": true,
"isCA": true
}
],
"message": "cert-valid"
},
{
"certificatePath": "/etc/ssl/corp.crt",
"message": "cert-missing"
}
]

SSL Certificatess Collection Analyzer

The certificates analyzer validates certificates and checks the expiration day, and can provide multiple outcomes such as:

  • Certificate is valid: The certificate is valid and not expired.
  • notAfter < Today + 4 days: The certificate is about to expired in 4 days.
  • notAfter < Today: The certificate has expired.

Example Analyzer Definition

apiVersion: troubleshoot.sh/v1beta2
kind: SupportBundle
metadata:
name: certificate
spec:
hostAnalyzers:
- certificatesCollection:
outcomes:
- pass:
message: Certificate is valid
- warn:
when: "notAfter < Today + 4 days"
message: Certificate is about to expire
- fail:
when: "notAfter < Today"
message: Certificate is expired