Closed andygabby closed 5 years ago
To quick fix our ct-woodpecker instance that had trouble submitting certs to a CT temporal shard that wouldn't accept certs that were not valid yet, I rebuilt the binary with this quick patch.
@jsha Can this be closed? It seems like the linked PR (https://github.com/letsencrypt/ct-woodpecker/pull/103) was abandoned.
Trillian upstream changed the definition of reject_expired so it only rejects expired, and doesn't reject backdated certificates. So the problem this was causing us is gone, and we probably won't fix it.
It would be slightly nice to tweak this just so the test certs are a little more "realistic" but I don't think it's worth keeping an issue around for.
In pki/certs.go
IssueTestCertificate()
: IfwindowStart
is defined, theNotBefore
inissueLeafCert
is set to the same value aswindowStart
. In most use cases we probably don't want to backdate or future date theNotBefore
to the beginning of the temporal shard.Instead we could have
issueLeafCert
use now or now -1h forNotBefore
, but setNotAfter
to sometime within the temporal shard window range.Also, in both
windowStart
/windowEnd
if statements there is an attempt to perform anAddDate()
but is not actually used because theAddDate()
return value is not assigned back to theearliest
/latest
vars (NotAfter
inissueLeafCert
could then haveAddDate(0, 0, -1)
removed from thelatest
var as well).