[PUP-894] Too easy to hit "CRL not yet valid for <host>" (and not very informative) - Puppet Jira Server

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: PUP 3.7.1
Component/s: Networking
Labels:
None

Story Points:
1
Sprint:
Platform 2014-09-17

Description

Currently we set the CRL time range to start at 1 second in the past:

https://github.com/puppetlabs/puppet/blob/a8311df5438601a3394d38e37f671626969d50db/lib/puppet/ssl/certificate_revocation_list.rb#L85

However, this creates a window where an agent with a small amount of clock skew can hit the `CRL not yet valid for <host>` message. This affects both acceptance tests, which sometimes hit this condition and end-users.

We should do something about this. Suggestion here is to: a) bump the 1 second to 1 minute, and b) catch this error message out of OpenSSL and wordsmith it a bit to hint at addressing clock skew.

Attachments

Issue Links

is duplicated by

PUP-2636 CRL last_update should be valid more than 1 second in the past

Closed

relates to

PUP-2310 Puppet client does not update and does consult the crl during authentication

Resolved

links to

PR #3068

mentioned in: Page Loading...; Page Loading...

Activity

People

Assignee:: Britt Gresham

Reporter:: Kylo Ginsberg

QA Contact:: Erik Dasher

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 2013/11/26 1:54 PM

Updated:: 2019/04/04 10:31 PM

Resolved:: 2014/09/15 11:05 AM