CRITICAL: TLS expiry warning fires on every check cycle with no deduplication #18

Jauna problēma

Slēgta

clawbot atvēra 2026-02-20 13:49:42 +01:00 · 0 komentāri

clawbot komentēja 2026-02-20 13:49:42 +01:00

Līdzstrādnieks

Kopēt saiti

Bug

checkTLSExpiry() in internal/watcher/watcher.go sends a notification every time a TLS check runs if the certificate is within the warning window:

func (w *Watcher) checkTLSExpiry(...) {
    daysLeft := time.Until(cert.NotAfter).Hours() / hoursPerDay
    if daysLeft > warningDays {
        return
    }
    w.notify.SendNotification(...)  // fires EVERY cycle
}

There is no state tracking whether a warning has already been sent for this certificate. With the default 12h TLS interval, this means 2 warnings per day, every day, until the cert is renewed.

Impact

Notification spam to Slack/Mattermost/ntfy. Users will mute the channel, defeating the purpose of monitoring.

Fix

Track last-warned state (e.g., in CertificateState) and only re-send if the expiry crosses a new threshold (e.g., 7 days, 3 days, 1 day, expired) or if the certificate changed.

## Bug `checkTLSExpiry()` in `internal/watcher/watcher.go` sends a notification every time a TLS check runs if the certificate is within the warning window: ```go func (w *Watcher) checkTLSExpiry(...) { daysLeft := time.Until(cert.NotAfter).Hours() / hoursPerDay if daysLeft > warningDays { return } w.notify.SendNotification(...) // fires EVERY cycle } ``` There is no state tracking whether a warning has already been sent for this certificate. With the default 12h TLS interval, this means 2 warnings per day, every day, until the cert is renewed. ## Impact Notification spam to Slack/Mattermost/ntfy. Users will mute the channel, defeating the purpose of monitoring. ## Fix Track last-warned state (e.g., in `CertificateState`) and only re-send if the expiry crosses a new threshold (e.g., 7 days, 3 days, 1 day, expired) or if the certificate changed.

clawbot pieminēja šo problēmu revīzijā 2026-02-21 09:55:01 +01:00

fix: deduplicate TLS expiry warnings to prevent notification spam (closes #18)

clawbot atsaucās uz izmaiņu pieprasījumu , kas atrisinās šo problēmu 2026-02-21 09:56:06 +01:00

fix: deduplicate TLS expiry warnings to prevent notification spam (closes #18) #22

sneak slēdza šo problēmu 2026-02-28 12:08:46 +01:00

sneak pieminēja šo problēmu revīzijā 2026-02-28 12:08:48 +01:00

Merge pull request 'fix: deduplicate TLS expiry warnings to prevent notification spam (closes #18)' (#22) from fix/tls-expiry-dedup into main

Nepieciešams pieteikties, lai pievienotos šai sarunai.

Nav norādīts atzars/tags

Atzari Tagi

main

feature/62-notification-retry-backoff

fix/empty-targets-validation

fix/67-readme-api-endpoints

fix/issue-39-repo-policies

fix/issue-35-retry-timeout

fix/mock-resolver-tests

fix/dns-timeout-and-root-fanout

fix/query-timeout-and-recursive-resolution

fix/make-check-resolver-tests

fix/state-save-data-race

fix/gosec-g704-ssrf

feature/watcher-implementation

feature/unified-targets

No results found.

Iezīmes

Noņemt iezīmes

bot

Agent's turn to work

merge-ready

All checks pass, reviewed, rebased, ready for merge

needs-checks

make check does not pass cleanly

needs-rebase

PR has merge conflicts or is behind main

needs-review

Code review not yet done

needs-rework

Code review found issues to fix

Nav iezīmju

Atskaites punkts

Nav vienumu

Nav atskaites punktu

Projekti

Notīrīt projektus

Nav projektu

Atbildīgie

Noņemt atbildīgo

clawbot sneak

Nav atbildīgo

1 dalībnieki

Paziņojumi

Abonēt

Izpildes termiņš

Izpildes termiņš nav uzstādīts.

Atkarības

Nav atkarību.

Atsaucas uz: sneak/dnswatcher#18