Bug #19078
closedIt's extremely difficult for an user to know there's a problem with root certificates
Description
We had a case very hard to diagnose on gitter: https://gitter.im/normation/rudder?at=60589649bc554b42d6180756 (and related comments).
The problem was that there was an inconsistency between the root server private key and certificate because of a partial backup restauration (the user wasn't aware of that either).
This is typically the example of thing that should be checked in the healthcheck:
- it's a rare occurence, so neither users nor rudder dev think to it first hand,
- the debugin is not easy, it needs to analyse logs, see that there is some openssl errors that matters, etc
- documentation won't help: of course private and public key must match. And of course a backup should not be partial.
But it's something easy to check automatically, since it's an invariant, one of these truth that must hold at all time.
(and the check by itself should be easy enought, we just need to check that the private/public keys/certificates matches (https://stackoverflow.com/questions/49426844/how-to-validate-a-public-and-private-key-pair-in-java))