Certificate Bot Refresh and TTLs

[russjones]

Upcoming certificate bot project should support the following refresh intervals and TTLs.

Max TTL

The maximum TTL defines the maximum time this bot user (and renewable certificate) will exist.

$ tctl bots add --name=jenkins --roles=foo,bar --bot-ttl=3d

Refresh Interval

The refresh TTL defines how often the renewable certificate is refreshed.

$ tctl bots add --name=jenkins --roles=foo,bar --refresh-interval=1h

Certificate TTL

The certificate TTL defines how long the short lived certificates will live for.

$ tctl bots add --name=jenkins --roles=foo,bar --cert-ttl=5m

[russjones]

Needs better names for --refresh-interval and --cert-ttl.

[timothyb89]

I wonder if we can put an expiration on the bot's backing user and role to implement a max TTL? (And probably have generateUserCerts() cap the cert's validBefore to the user's TTL for good measure)

Certificate TTL and refresh interval are currently client-side flags, so I'm curious if there's specific desire to move them server-side or if they're in an appropriate place already. The server does enforce a maximum renewal duration but it's global and not currently configurable.

[xinding33]

In the current proposal:

• bot-ttl refers to the max time the bot user should exist (meaning that the user should be deleted after this time is up)
• refresh-interval refers to how frequently the bot's certs (both primary and secondary) are renewed
• cert-ttl refers to how long issued certs (both primary and secondary) should be valid for

@russjones I agree that bot-ttl should be a tctl parameter since that should be specified at bot user creation time. However, both cert-ttl and refresh-interval currently are implemented as tbot parameters rather than tctl. I think these two parameters should remain in tbot.

On naming:

• Since refresh-interval and cert-ttl affect both primary and secondary certs, we can't really use more specific nouns such as primary, secondary, agent, etc.
• Since we already use the term ttl in bot-ttl, I suggest we either keep cert-ttl (maybe make it plural, i.e. cert-ttls) or, if we want to change terminology, we should change both (i.e. bot-ttl --> bot-validity/bot-lifetime and cert-ttl --> cert-validity/cert-lifetime). Let's Encrypt uses the lifetime terminology.
• Thoughts on refresh-interval --> renewal-frequency/renew-frequency? "Renew" tends to be the more common verb in reference to certificates. Interval technically refers to "distance in space" whereas frequency is more appropriate for time (frequency can be the rate of occurrence of anything).

All in all, my vote would be for:

• bot-lifetime
• cert-lifetime
• renewal-frequency

[russjones]

@timothyb89 These are all implemented now right?

[timothyb89]

Mostly. The ttl - > lifetime change did not make it into #10833, and per a discussion with Xin, we decided to use --renewal-interval.

I imagine we could still push through the ttl -> lifetime rename if there are strong feelings about it.