domino_admin_toolkit.checks.test_domino_url_cert module

pydantic model domino_admin_toolkit.checks.test_domino_url_cert.DominoUrlCertExpirationAnalyzer

Bases: AnalyzerBase

Validates Domino control plane URL certificate is not expiring soon.

Checks the certificate expiration date and ensures sufficient time remains before renewal is required.

Fields:
field expiry_threshold_days: int = 30

Minimum days before expiration (FAIL if less)

analyze(data)

Analyze certificate expiration data.

Return type:

list[CheckResult]

Args:

data: Dictionary containing certificate expiration details

Returns:

List of CheckResult objects indicating certificate health

name: ClassVar[str] = 'DominoUrlCertExpirationAnalyzer'
pydantic model domino_admin_toolkit.checks.test_domino_url_cert.DominoUrlCertValidationAnalyzer

Bases: AnalyzerBase

Validates that the Domino URL certificate can be verified using the mounted bundle.

Checks if the certificate is trusted (can be verified via SSL) and provides diagnostic information about bundle contents. The mounted bundle at /etc/ssl/certs/ca-certificates.crt serves as the system trust store for the toolkit.

Fields:

analyze(data)

Analyze certificate verification status and bundle diagnostic info.

Return type:

list[CheckResult]

Args:

data: Dictionary containing cert data with verification status and bundle info

Returns:

List of CheckResult objects indicating validation status

name: ClassVar[str] = 'DominoUrlCertValidationAnalyzer'
domino_admin_toolkit.checks.test_domino_url_cert.domino_url_cert_data(domino_api_client)

Fixture: Collect Domino URL certificate data for expiration checking.

Returns:

DataFrame with certificate expiration details

domino_admin_toolkit.checks.test_domino_url_cert.test_domino_url_cert_expiration(domino_url_cert_data)

Validates Domino control plane URL certificate is valid and not expiring soon.

This check retrieves the TLS certificate from the Domino platform URL and verifies it has sufficient time remaining before expiration. The check focuses solely on certificate validity period, not verification against a trust store.

Skip Conditions:

  • Certificate cannot be retrieved from the Domino URL (network connectivity issues)

  • This is expected behavior in deployments where the toolkit cannot reach the frontend (e.g., network policies, firewall rules, or isolated network configurations)

Failure Conditions:

  • Certificate has already expired

  • Certificate expires in less than 30 days

Troubleshooting Steps:

  1. Check certificate expiration date using: echo | openssl s_client -connect <domino-url>:443 2>/dev/null | openssl x509 -noout -dates

  2. Verify certificate renewal process is functioning correctly

  3. Check if certificate issuer (CA) is still valid and operational

  4. Review DNS resolution for the Domino URL: nslookup <domino-url>

domino_admin_toolkit.checks.test_domino_url_cert.test_domino_url_cert_validation(domino_url_cert_data)

Validates that the Domino URL certificate can be verified via the mounted bundle.

This check verifies that the Domino control plane’s TLS certificate can be validated using the mounted certificate bundle at /etc/ssl/certs/ca-certificates.crt. This bundle serves as the system trust store for the toolkit pod and other Domino services.

For deployments using private certificate authorities or self-signed certificates, custom CA certificates must be added to Domino’s trust store. This is especially important for services that connect to the deployment via its public hostname, including services in remote data planes.

Documentation:

See https://docs.dominodatalab.com/en/cloud/admin_guide/77bb0e/domino-custom-certificates-configmap/ for detailed instructions on managing custom certificates in Domino.

The check provides diagnostic information about: - Whether SSL verification succeeds - Whether the cert/CA is found in the bundle - Number of CAs in the bundle

Skip Conditions:

  • Certificate cannot be retrieved from the Domino URL (network connectivity issues)

  • This is expected behavior in deployments where the toolkit cannot reach the frontend (e.g., network policies, firewall rules, or isolated network configurations)

Failure Conditions:

  • Certificate cannot be verified via SSL (cert/CA not in bundle)

  • This typically occurs when using private CAs or self-signed certificates that have not been added to Domino’s custom certificate bundle

  • Certificate bundle file is missing, out of date, or unreadable

  • Certificate is in bundle but verification still fails (chain/expiration issues)

Troubleshooting Steps:

  1. Determine if you are using a private CA or self-signed certificate

  2. Check if domino-custom-certificates ConfigMap exists in the default namespace: kubectl get configmap domino-custom-certificates -n default

  3. Verify domino-generated-certificates ConfigMap exists and contains ca-certificates.crt: kubectl get configmap domino-generated-certificates -n <namespace> -o yaml | grep ca-certificates.crt

  4. Verify the toolkit pod has the bundle mounted: kubectl exec -n <namespace> <toolkit-pod> – ls -la /etc/ssl/certs/ca-certificates.crt

  5. For detailed diagnostics, see the public documentation linked above

Resolution Steps:

  1. Add your custom CA certificate(s) to the domino-custom-certificates ConfigMap in the default namespace in PEM format. The custom-certificates-manager service will automatically sync these to domino-generated-certificates.

  2. Restart affected services (nucleus, keycloak, data-plane-agent, toolkit, etc.) to pick up the updated certificates.

  3. For remote data planes: ensure domino-generated-certificates is copied to the data plane namespace during initial deployment when using custom CAs.

  4. See https://docs.dominodatalab.com/en/cloud/admin_guide/77bb0e/domino-custom-certificates-configmap/ for detailed step-by-step instructions and examples.