lacework-global-213
Load balancer SSL certificate expiring soon (Automated)
Description
Alert when the SSL certificate in a load balancer expires within 45 days. Rotate SSL certificates in a timely basis to ensure security and usability.
This policy checks for expiring certificates attached to both backend sets and listeners.
Remediation
From Console:
- Login to OCI console.
- Select Networking from Services menu.
- Select Load Balancer from Networking menu.
- Click the name of a load balancer with an expiring SSL certificate.
- Click Certificates and the name of the certificate that is expiring.
- Click Renew Certificate.
- Set Not Valid After to a date of 45 days or more in the future.
- Click Renew Certificate.
- Repeat steps 4-8 for all load balancers with expiring certificates.
From CLI:
(Note: The OCI CLI does not currently have a means of renewing certificates, as per the console.)
Execute the following command to get a list of load balancers:
oci lb load-balancer list --compartment-id <compartment_ocid>
For each load balancer, execute the following command to get the attached backend-sets:
oci lb backend-set list --load-balancer-id <load_balancer_ocid>
noteOCI CLI does not provide a command to allow to direct listing of listeners. You can extract them from the command in step 1, within the listeners element.
For each backend set/listener, examine the ssl-configuration, extract the certificate-ids and execute the following command:
oci certs-mgmt certificate get --certificate-id <certificate_ocid>
If the date in time-of-validity-not-after is less than 45 days, then you must delete the certificate and create a new one, as follows:
oci lb certificate delete --load-balancer-id <load_balancer_ocid> --certificate-name <certificate_name>
And
oci lb certificate create --load-balancer-id <load_balancer_ocid> --certificate-name <certificate_name>
References
https://docs.oracle.com/en-us/iaas/cloud-guard/using/detect-recipes.htm#detect-recipes-ref-config__LB_CERTIFICATE_EXPIRING_SOON
https://docs.oracle.com/en-us/iaas/Content/Balance/Tasks/managingcertificates.htm
https://docs.oracle.com/en-us/iaas/Content/Balance/Tasks/create_certificate.htm
https://docs.oracle.com/en-us/iaas/Content/Balance/Tasks/update_certificate.htm
https://docs.oracle.com/en-us/iaas/Content/Balance/Tasks/delete_certificate.htm