Skip to content

[MOSIP-32607] added README.md #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ckm007 merged 1 commit into from
Aug 7, 2025
Merged

[MOSIP-32607] added README.md #48

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
86 changes: 86 additions & 0 deletions certmanager/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
# Certificate Renewal Script for MOSIP

This script automates the process of checking and renewing certificates for MOSIP's partners.

## Features

* The Script Reads partner IDs from either:

* `PARTNER_IDS_ENV` environment variable when running in a k8s cluster.
* `partner.properties` file while running locally.

* Checks certificate expiry and renews if expired or within the `pre-expiry-days` window.
* Uploads renewed certificates to PMS and propagates to dependent systems:

* **eSignet** for `mpartner-default-esignet`
* **IDA** for `mpartner-default-auth`
* **KeyManager** for `mpartner-default-resident` and `mpartner-default-digitalcard`
* * **PMS** for all other kinds of partners. (including external 3rd party partners)
* Logs actions and results for each partner.

## Configuration

The script reads configuration values from either environment variables or `bootstrap.properties` file.

### Environment Variables (preferred)

| Variable Name | Description |
| -------------------------------- | ------------------------------------------ |
| `db-host` | PostgreSQL host |
| `db-port` | PostgreSQL port |
| `db-su-user` | PostgreSQL superuser |
| `postgres-password` | PostgreSQL password |
| `mosip-api-internal-host` | Internal MOSIP API base host |
| `mosip_deployment_client_secret` | MOSIP PMS client secret for authentication |
| `pre-expiry-days` | Days before expiry to trigger renewal |
| `PARTNER_IDS_ENV` | Comma-separated partner IDs to process |

### bootstrap.properties (fallback)

Provide the same keys as above in `bootstrap.properties` if environment variables are not set.

Example:

```
db-host=localhost
db-port=5432
db-su-user=postgres
postgres-password=postgres
mosip-api-internal-host=api-internal.mosip.net
mosip_deployment_client_secret=secret-key
pre-expiry-days=30
```

### partner.properties

List of sample partner IDs to process when `PARTNER_IDS_ENV` is not set:

```
PARTNER_ID=mpartner-default-auth,mpartner-default-esignet,mpartner-default-resident
```

## Running the Script

### Python (local)

```bash
python checkupdate.py
```



## Outputs

* Logs certificate renewal process to stdout.
* Writes expired partner IDs to `expired.txt`.
* Automatically uploads renewed certificates to appropriate systems.


## Notes

* Ensure PostgreSQL credentials and MOSIP API host are reachable.
* Certificates are checked for expiry using OpenSSL and renewal occurs if expiring within the configured pre-expiry window.
* The script prints detailed progress and failures for each step.

## WIP
* Currently the script can not handle IDA- CRED certificates, team is working towards fixing the same.