Doctor plugin checks: implement health check classes and documentation
Implement remediation-aware health checks across all Doctor plugin modules (Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment, EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release, Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation, Authority, Core, Cryptography, Database, Docker, Integration, Notify, Observability, Security, ServiceGraph, Sources, Verification). Each check now emits structured remediation metadata (severity, category, runbook links, and fix suggestions) consumed by the Doctor dashboard remediation panel. Also adds: - docs/doctor/articles/ knowledge base for check explanations - Advisory AI search seed and allowlist updates for doctor content - Sprint plan for doctor checks documentation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
65
docs/doctor/articles/timestamping/tsa-chain-valid.md
Normal file
65
docs/doctor/articles/timestamping/tsa-chain-valid.md
Normal file
@@ -0,0 +1,65 @@
|
||||
---
|
||||
checkId: check.timestamp.tsa.chain-valid
|
||||
plugin: stellaops.doctor.timestamping
|
||||
severity: fail
|
||||
tags: [timestamping, tsa, certificate, chain, validation]
|
||||
---
|
||||
# TSA Certificate Chain Validity
|
||||
|
||||
## What It Checks
|
||||
Ensures TSA certificate chains are valid and complete. The check:
|
||||
|
||||
- Queries the certificate chain status provider for all configured TSA chains.
|
||||
- Validates that each chain is complete (leaf to root) and has no errors.
|
||||
- Fails if all chains are invalid. Warns if some chains are invalid.
|
||||
- Reports degraded if no chain data is available (provider not configured).
|
||||
|
||||
## Why It Matters
|
||||
An incomplete or broken certificate chain means TSA timestamps cannot be verified end-to-end. Relying parties will reject evidence with unverifiable chains, causing compliance audit failures and blocking release promotions. This is a critical-severity check.
|
||||
|
||||
## Common Causes
|
||||
- Missing intermediate certificates
|
||||
- Intermediate certificate expired
|
||||
- Trust store not updated after CA changes
|
||||
- Misconfigured certificate chain ordering
|
||||
|
||||
## How to Fix
|
||||
|
||||
### Docker Compose
|
||||
```bash
|
||||
# Verify chain manually
|
||||
openssl verify -CAfile /certs/root.pem -untrusted /certs/intermediate.pem /certs/tsa-leaf.pem
|
||||
|
||||
# Update chain configuration
|
||||
docker exec <platform-container> stella tsa chain update --name "Provider" \
|
||||
--cert /certs/tsa-leaf.pem --intermediate /certs/intermediate.pem
|
||||
```
|
||||
|
||||
### Bare Metal / systemd
|
||||
```bash
|
||||
stella tsa chain validate --all
|
||||
stella tsa chain update --name "Provider" \
|
||||
--cert /path/to/leaf.pem --intermediate /path/to/intermediate.pem
|
||||
```
|
||||
|
||||
### Kubernetes / Helm
|
||||
```yaml
|
||||
timestamping:
|
||||
chainValidation:
|
||||
enabled: true
|
||||
```
|
||||
|
||||
Update certificate chain secrets:
|
||||
```bash
|
||||
kubectl create secret generic tsa-chain \
|
||||
--from-file=leaf.pem --from-file=intermediate.pem --from-file=root.pem
|
||||
```
|
||||
|
||||
## Verification
|
||||
```
|
||||
stella doctor run --check check.timestamp.tsa.chain-valid
|
||||
```
|
||||
|
||||
## Related Checks
|
||||
- `check.timestamp.tsa.cert-expiry` — checks TSA signing certificate expiry
|
||||
- `check.timestamp.tsa.root-expiry` — checks TSA root certificate expiry
|
||||
Reference in New Issue
Block a user