Skip to main content

lacework-global-213

Load balancer SSL certificate expiring soon (Automated)

Description

Alert when the SSL certificate in a load balancer expires within 45 days. Rotate SSL certificates in a timely basis to ensure security and usability.

note

This policy checks for expiring certificates attached to both backend sets and listeners.

Remediation

From Console:

  1. Login to OCI console.
  2. Select Networking from Services menu.
  3. Select Load Balancer from Networking menu.
  4. Click the name of a load balancer with an expiring SSL certificate.
  5. Click Certificates and the name of the certificate that is expiring.
  6. Click Renew Certificate.
  7. Set Not Valid After to a date of 45 days or more in the future.
  8. Click Renew Certificate.
  9. Repeat steps 4-8 for all load balancers with expiring certificates.

From CLI:

(Note: The OCI CLI does not currently have a means of renewing certificates, as per the console.)

  1. Execute the following command to get a list of load balancers:

    oci lb load-balancer list --compartment-id <compartment_ocid>

  2. For each load balancer, execute the following command to get the attached backend-sets:

    oci lb backend-set list --load-balancer-id <load_balancer_ocid>
    note

    OCI CLI does not provide a command to allow to direct listing of listeners. You can extract them from the command in step 1, within the listeners element.

  1. For each backend set/listener, examine the ssl-configuration, extract the certificate-ids and execute the following command:

    oci certs-mgmt certificate get --certificate-id <certificate_ocid>

  2. If the date in time-of-validity-not-after is less than 45 days, then you must delete the certificate and create a new one, as follows:

    oci lb certificate delete --load-balancer-id <load_balancer_ocid> --certificate-name <certificate_name>

    And

    oci lb certificate create --load-balancer-id <load_balancer_ocid> --certificate-name <certificate_name>

References

https://docs.oracle.com/en-us/iaas/cloud-guard/using/detect-recipes.htm#detect-recipes-ref-config__LB_CERTIFICATE_EXPIRING_SOON
https://docs.oracle.com/en-us/iaas/Content/Balance/Tasks/managingcertificates.htm
https://docs.oracle.com/en-us/iaas/Content/Balance/Tasks/create_certificate.htm
https://docs.oracle.com/en-us/iaas/Content/Balance/Tasks/update_certificate.htm
https://docs.oracle.com/en-us/iaas/Content/Balance/Tasks/delete_certificate.htm

Last updated on