Doctor plugin checks: implement health check classes and documentation
Implement remediation-aware health checks across all Doctor plugin modules (Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment, EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release, Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation, Authority, Core, Cryptography, Database, Docker, Integration, Notify, Observability, Security, ServiceGraph, Sources, Verification). Each check now emits structured remediation metadata (severity, category, runbook links, and fix suggestions) consumed by the Doctor dashboard remediation panel. Also adds: - docs/doctor/articles/ knowledge base for check explanations - Advisory AI search seed and allowlist updates for doctor content - Sprint plan for doctor checks documentation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
53
docs/doctor/articles/timestamping/crl-distribution.md
Normal file
53
docs/doctor/articles/timestamping/crl-distribution.md
Normal file
@@ -0,0 +1,53 @@
|
||||
---
|
||||
checkId: check.timestamp.crl.distribution
|
||||
plugin: stellaops.doctor.timestamping
|
||||
severity: warn
|
||||
tags: [timestamping, crl, distribution, revocation]
|
||||
---
|
||||
# CRL Distribution Point Availability
|
||||
|
||||
## What It Checks
|
||||
Checks that configured CRL distribution points are accessible. The check:
|
||||
|
||||
- Gets configured CDPs from the registry.
|
||||
- Sends a HEAD request to each CDP URL with a 30-second timeout.
|
||||
- Reports response status, latency, and CRL size (from Content-Length).
|
||||
- Fails if all CDPs are unavailable. Warns if some are unavailable.
|
||||
- Passes (healthy) if no CDPs are configured (optional feature).
|
||||
|
||||
## Why It Matters
|
||||
CRL distribution points provide certificate revocation lists needed to verify that TSA certificates have not been revoked. If CDPs are unavailable, the system cannot download updated CRLs, potentially accepting timestamps from revoked certificates.
|
||||
|
||||
## Common Causes
|
||||
- CRL distribution point server is down
|
||||
- Network connectivity issues
|
||||
- Firewall blocking HTTP/HTTPS to CDP URLs
|
||||
- CDP URL changed by the CA
|
||||
|
||||
## How to Fix
|
||||
|
||||
### Docker Compose
|
||||
```bash
|
||||
docker exec <platform-container> curl -I http://crl.example.com/crl.pem
|
||||
```
|
||||
|
||||
### Bare Metal / systemd
|
||||
```bash
|
||||
# Test CDP connectivity
|
||||
curl -I http://crl.example.com/crl.pem
|
||||
|
||||
# Check network and DNS
|
||||
nslookup crl.example.com
|
||||
```
|
||||
|
||||
### Kubernetes / Helm
|
||||
Ensure egress NetworkPolicies allow traffic to CRL distribution point URLs.
|
||||
|
||||
## Verification
|
||||
```
|
||||
stella doctor run --check check.timestamp.crl.distribution
|
||||
```
|
||||
|
||||
## Related Checks
|
||||
- `check.timestamp.ocsp.responder` — checks OCSP responder availability
|
||||
- `check.timestamp.revocation.cache-fresh` — checks revocation cache freshness
|
||||
Reference in New Issue
Block a user