gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-13 22:48:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: M25 post-deployment TLS verification + M26 Traefik/Caddy targets

Browse Source 
M25: After deploying a certificate, the agent probes the live TLS
endpoint and compares SHA-256 fingerprints to verify the correct cert
is being served. Best-effort — failures don't block deployments.
New endpoints: POST /jobs/{id}/verify, GET /jobs/{id}/verification.
Migration 000008 adds verification columns to jobs table.

M26: Traefik target connector (file provider, auto-reload) and Caddy
target connector (dual-mode: admin API hot-reload or file-based).
Both wired into agent dispatch.

Also: restructured README to highlight supported integrations (issuers,
targets, notifiers) earlier, moved API/CLI/MCP sections lower. Updated
all docs (features, connectors, architecture, testing guide, why-certctl)
and fixed integration tests for 18-param RegisterHandlers signature.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Shankar
2026-03-27 21:07:16 -04:00
parent 369a674619
commit 492a392e52
28 changed files with 3365 additions and 177 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/domain/verification.go
+37
View File
@@ -0,0 +1,37 @@
package domain
import "time"
// VerificationStatus represents the status of certificate deployment verification.
type VerificationStatus string
const (
// VerificationPending: verification has not yet been performed.
VerificationPending VerificationStatus = "pending"
// VerificationSuccess: the live TLS endpoint serves the expected certificate.
VerificationSuccess VerificationStatus = "success"
// VerificationFailed: the live TLS endpoint does not serve the expected certificate.
VerificationFailed VerificationStatus = "failed"
// VerificationSkipped: verification was skipped (disabled or not applicable).
VerificationSkipped VerificationStatus = "skipped"
)
// VerificationResult represents the outcome of verifying a deployed certificate
// against the live TLS endpoint it should be serving.
type VerificationResult struct {
// JobID is the ID of the deployment job being verified.
JobID string `json:"job_id"`
// TargetID is the ID of the deployment target.
TargetID string `json:"target_id"`
// ExpectedFingerprint is the SHA-256 fingerprint of the certificate that was deployed.
ExpectedFingerprint string `json:"expected_fingerprint"`
// ActualFingerprint is the SHA-256 fingerprint of the certificate currently being served
// at the live TLS endpoint.
ActualFingerprint string `json:"actual_fingerprint"`
// Verified is true if expected and actual fingerprints match.
Verified bool `json:"verified"`
// VerifiedAt is the timestamp when verification was performed.
VerifiedAt time.Time `json:"verified_at"`
// Error is a non-empty error message if verification failed to complete.
Error string `json:"error,omitempty"`
}