backport of commit 95ad2461624cc002f768b2eac4196b6884f6ddfe (#21162)

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2023-06-12 22:37:20 -04:00 · 2023-06-12 22:37:20 -04:00 · 7d6c3aca5f
parent 8dc607d08d
commit 7d6c3aca5f
1 changed files with 32 additions and 5 deletions
--- a/website/content/docs/commands/pki/health-check.mdx
+++ b/website/content/docs/commands/pki/health-check.mdx
@ -324,3 +324,30 @@ This health check verifies that tidy has run within the last run window. This ca
 - `count_warning` `(int: 50000)` - the warning threshold at which there are too many certs.

 This health check verifies that this cluster has a reasonable number of certificates. Ideally this would be fetched from tidy's status or a new metric reporting format, but as a fallback when tidy hasn't run, a list operation will be performed instead.
+
+### Enable ACME issuance
+
+**Name**: `enable_acme_issuance`
+
+**APIs**:
+
+- `READ /config/acme`
+- `READ /config/cluster`
+- `LIST /issuers` (unauthenticated)
+- `READ /issuer/:issuer_ref/json` (unauthenticated)
+
+**Config Parameters**: (none)
+
+This health check verifies that ACME is enabled within a mount that contains an intermediary issuer, as this is considered a best-practice to support a self-rotating PKI infrastructure.
+
+### ACME Response headers
+
+**Name**: `allow_acme_headers`
+
+**APIs**:
+
+- `READ /sys/internal/ui/mounts`
+
+**Config Parameters**: (none)
+
+This health check verifies if the `"Replay-Nonce`, `Link`, and `Location` headers have been added to `allowed_response_headers`, when the ACME feature is enabled. The ACME protocol will not work if these headers are not added to the mount.