Open hvt opened 1 month ago
michaelklishin
commented
1 month ago 3.12 has been out of support for more than 6 months.
So we will be trying to reproduce this against 4.0.2, the only community-supported series.
The standard expiration period used by tls-gen is 10 years. In theory overriding it to be 50 years or something should be enough.
lukebakken
commented
1 month ago Here is where the Certificate is not yet valid error message is generated:
@hvt you've probably found an edge case that the code misses. I'll investigate this when I can find time.
What happens if your certs have a slightly later start time, like epoch time plus 1 second?
hvt
commented
1 month ago What happens if your certs have a slightly later start time, like epoch time plus 1 second?
At first I thought it was a division by zero. So I already tried creating a certificate (and CA) with a Not Before of Jan 1 00:00:01 1970 GMT. That failed as well, with the same error.
michaelklishin
commented
1 month ago The code computes the difference between dates in seconds, so something may not be accounting for overflow/wrap around in one of the calendar modules.
In some if not all cases we could use minutes or hours. This health check is meant to be run e.g. every day, not every hour or minute.
Describe the bug
We are using RabbitMQ 3.12.12.
Because of reasons (tm) we have a TLS certificate with an extremely long validity (and also signed by a CA that has that same validity period), namely:
When you now query the health check API for certificate expiration, you receive a HTTP 500 response, without any content. In the logs of RabbitMQ, this crash / traceback is printed:
Reproduction steps
I am not entirely sure if this is caused by the CA validity or the certificate validity. I have however generated an example CA certificate and an example certificate + key:
`ca.crt`
```pem -----BEGIN CERTIFICATE----- MIIFKTCCAxGgAwIBAgIUH7VQuNxYNBgBFwUdwIsaMxLsXKgwDQYJKoZIhvcNAQEN BQAwHjEcMBoGA1UEAwwTUmFiYml0TVEgRXhhbXBsZSBDQTAgFw03MDAxMDEwMDAw MDBaGA8yMDk5MTIzMTIzNTk1OVowHjEcMBoGA1UEAwwTUmFiYml0TVEgRXhhbXBs ZSBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAM8g9ETm4gXIgKNb MOX5PSz2tr5bX/4ZdXeVWBeFkvmQnwPJCoiDy0sDNN8LV80HzZQdy+Cwhq8cBXrR if8I+V3l29gJgujb/M7puWQtYpdGpxYf+HQlqgodYZHcbIc3AjeGrKj8t81uXff5 chZ+vMnlMTedRxSitVO0cYeDRQHWIxg1e3E6IPCNKk8ltXRkEvBiOu88bHkm/k+E 4V+RkHJsqqoOSQNx+T1qUSRni6VdoxP5dQRVlQSoOUBsq7fb5R7GWcJ832wzu6lx JrfC5K5NxpTQ4/EdmavAeg3T36OXqeGqFFViug75258OC5nNcWeCElgsCHK+3U4m Lh1+KXGQ5QsZN83f9zUaFeuhqKy/IoJ0zryTVS2TJDCkFFiqNQ/BAOA4VWabtFHi Bhq6fpnlMJh7wBYbm2nvhH/rFGcLDGHU+oSijPB2blprF2kDY3eEvSJ09vD1/bDM 0VYI5/g0Pc2vMhKQ2QxWo3hq+2O2DxWeqVhZtbw+kZvb/By61KaF/934jSxacrI9 nA8VF/te3CzIPqb1fM9P8aY1sXy4/0UxEiZNgTuVJs7br7I6O9EZDwEp/A1uUrD/ pd90vxP5Xf81L4ongPvo9RKW88z2uCx9zPXGJUArSGxsGNh3NpCVlsDyjhVk5/Rf KxyRcDJse4yqj+aKu45VqQ6qsXnPAgMBAAGjXTBbMAwGA1UdEwQFMAMBAf8wCwYD VR0PBAQDAgIEMB0GA1UdDgQWBBRdDHqqBD+C0iKCBw1c38upxMQ12DAfBgNVHSME GDAWgBRdDHqqBD+C0iKCBw1c38upxMQ12DANBgkqhkiG9w0BAQ0FAAOCAgEAeWxQ U4PPqOW3d09pR5nImcmKwcxwWaBc9zboUqo+0toikI1NTcQ14fNEE6oXgieKxFGk nvJVPXE2FpEoJeuRPRNDiMCVHhkJea6zaRPyNhq8lmnKk+y46GmPiEBgaQCs18ye qDo4sTPnTCVxv2/rMPY2P+RHM6Bb9qd3VyQEll/Jz+e4mmS3p1kATz1Y5DQyZjvO hhlZGguIauSh+hsuY0TGLNfOW7oxEiVZTFeh7M84P451H6D/vQ0AJp0MmUDoxE7X qNNdrWv3hVJi+lPHTQk/oGMIleiHgxRwnDWydzGqIVJjbQqBr+a7giD/UuTY4Akt DbeHwNMO0gHh9RJBxGFp1SwJObzbvGEz6At/m9oDbOSvdS3DWe+MFgnrwIx6Gdmc zhUo9silIdqNV945EmjG4Ze52hN0d52IpdeIb4CD4tj0MMkpsyDg7JnrYsXaMgHB 31I4PkdF40GuJ1SWRMGGtJwYUCYSBDkVQexTC6v+LWIQyYNgOpgIMkonTJFg4PQ4 4MtQstxrGpmzNUc40Rcwx6m2TW4orM7Gg1w6qJQhWHxBFWboGYvOvjSHscjfZMfZ tdl96b5xVd8SRfO+fzwRQD8mIS1IhMwmLGQ0nfWBzQPmyizk0IgOZntpBa+vOG5T 3D6rVmSoeDY6s9Fq1VAckUPnPIUVC2IIa15OG8Y= -----END CERTIFICATE----- ````server.crt`
```pem -----BEGIN CERTIFICATE----- MIIFmTCCA4GgAwIBAgIULbab6wR9rTLYrjtNWAJcr/5ZyzwwDQYJKoZIhvcNAQEN BQAwHjEcMBoGA1UEAwwTUmFiYml0TVEgRXhhbXBsZSBDQTAgFw03MDAxMDEwMDAw MDBaGA8yMDk5MTIzMTIzNTk1OVowHzEdMBsGA1UEAwwUcmFiYml0bXEuZXhhbXBs ZS5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDm5G/f+FSxgv5c 6x9RneFzF+KFs6Z2tkrkA2hx94cS6TQgprtL28WeEFTjglbUs2LNgkbbS9ZIVfo6 /gcGQbjMije84+B4PYG+VZJRvpcDAXha1TQw+LHepF7ORJilxpk+q7qhTMX3JW87 JKuCZgxGbQjuuZ+jpvavclVBrFWZ8+QXsnTuN/16/KGFctAUzfUZOD/RL7zA3LRl 7c123ROUesffZjTk2AODcnQI8lnLLfgEdhAYl/jVZjF617y7Fk3JaAhKJuIjo9uN EaheAx9qSgjciKRWzz7JCXUG+lZrpwU1GzA1t0Ja+VGHXvxTCnNUq0Eng60Ahvv2 0VXnipn84lxlBL8a3FEIbV36ixE79KnaTSajYp68JAuOIinq+wHV8RdnsMS1mc60 evzBl9XVBLE41TSNGWDssNjMPOJCJRWs6CPqp0CRMfZy5C99vSumXOo6aupCrRXD wVkhYVh8bE6xyy6Jpn+7o7qhYoXOez/3KfIxTzx0Tx+7Rjcwa2ck6LehocXfZxxV NMsI8tOTcD2gGXqsx4sblg8+2QtHlFmwqKxshIm09NBCY8ojYoqgHEdh75MmvPbr 9FkmVKUPa6Am7jDpApoQWVO9B8qENLGu5Bz4RLybjIFrDf/BkdVOwF2VqCCZXspY hSFN8RGfz3RVGN2CFAKu3Js09Z/rIQIDAQABo4HLMIHIMAkGA1UdEwQCMAAwCwYD VR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBQZQemqrBL3 Kwu1EDSOSjNu2xOeKzBZBgNVHSMEUjBQgBRdDHqqBD+C0iKCBw1c38upxMQ12KEi pCAwHjEcMBoGA1UEAwwTUmFiYml0TVEgRXhhbXBsZSBDQYIUH7VQuNxYNBgBFwUd wIsaMxLsXKgwHwYDVR0RBBgwFoIUcmFiYml0bXEuZXhhbXBsZS5vcmcwDQYJKoZI hvcNAQENBQADggIBAH2nAJl57u69EGFuzH5QFEQ6CJ3SLvYgpwhkataCrE8UKD4G ydVIyMUAsb+jNREBc5iRayUF99aJXsxVXg4CarGh/wWnpsuUkbKxCIs+t3M5tVKX knIVx/4B9Uv2SMbni1/FdzC9X/Ujx2OPYTaCpxhFxqzSANrSmVeS9zNhg7J0NE1B x7/mWbTKqJT8yFjs0wsewfUhp0UAPRiOvbtcyOFrKXFQRp3dLfs6AftghF8Y7/BP oJCCZ7G4+zBqNR1SJ3gJiMj4pZ5csEWvEFlnvT3twVA/SzlXWFrOHeoDVSSdEXDC cL2LaqJ5nzVB9G4sE0sufgb7/gBXesrr+yKlaS9iP+bgSmGi/zDbEVJCdQyWeolI 1fokvqdjffeyr3TCwes5xkykY1vB/JJ0qqAW1K2FZwQist1GDZgecIWxO6zvFZ7O 95i8B6i4IGrT5jPYMLyLzgzAb2MBYzCccAZkGedmYnVNHi0vND8MLnt3CZHS48A1 rTl0/WA6920EWJEqDSZsXbwO5eB6V5l4v2GlG8FzKAEnkzeXbdxKsXnxXlxQg07I 45UIVcrGP/vOAy5mlTHQjspB8YqPXx6JoHgMvWHMpRcrUZb1GJBqT+U2sG+4dh+w 1bykhZokWborXY1q7Xdfp18qYWQNfbHOg6l6M1q5bqLPWY77wX09JQGNQPa3 -----END CERTIFICATE----- ````server.key`
```pem -----BEGIN PRIVATE KEY----- MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDm5G/f+FSxgv5c 6x9RneFzF+KFs6Z2tkrkA2hx94cS6TQgprtL28WeEFTjglbUs2LNgkbbS9ZIVfo6 /gcGQbjMije84+B4PYG+VZJRvpcDAXha1TQw+LHepF7ORJilxpk+q7qhTMX3JW87 JKuCZgxGbQjuuZ+jpvavclVBrFWZ8+QXsnTuN/16/KGFctAUzfUZOD/RL7zA3LRl 7c123ROUesffZjTk2AODcnQI8lnLLfgEdhAYl/jVZjF617y7Fk3JaAhKJuIjo9uN EaheAx9qSgjciKRWzz7JCXUG+lZrpwU1GzA1t0Ja+VGHXvxTCnNUq0Eng60Ahvv2 0VXnipn84lxlBL8a3FEIbV36ixE79KnaTSajYp68JAuOIinq+wHV8RdnsMS1mc60 evzBl9XVBLE41TSNGWDssNjMPOJCJRWs6CPqp0CRMfZy5C99vSumXOo6aupCrRXD wVkhYVh8bE6xyy6Jpn+7o7qhYoXOez/3KfIxTzx0Tx+7Rjcwa2ck6LehocXfZxxV NMsI8tOTcD2gGXqsx4sblg8+2QtHlFmwqKxshIm09NBCY8ojYoqgHEdh75MmvPbr 9FkmVKUPa6Am7jDpApoQWVO9B8qENLGu5Bz4RLybjIFrDf/BkdVOwF2VqCCZXspY hSFN8RGfz3RVGN2CFAKu3Js09Z/rIQIDAQABAoICAAcvtv4ZyzEKaoMj2+hJz+Zc 9cAplK9lm+eEf6MeDCzRG1ek0nfy+C/XD31UfwIrYl9F6pF3k8zRxQvbzWyRbebX 3avZ/90rAbdiqT8BsQH3JFk9zfXapInRREe+Dm48EMr791jlfDsY0pR2eLjo484e JXgHFdC3KQue6GGdGb3Ev79JEg1tqrMOp+Xw0K8rfEraDr2ipoi6/DzSVC6auCBL J56f0Y4J3Y1Uage/qBg3bw/C4o9eM4pMBJNvoY0rjYvZdBPMXNK1J+eeunnRAqpO CzNdNJg+TRSR+cixnZaUlTuChCA34WKjF4ZTtR2a83bM+b/45jdgL1/bdh84/iZR fEOLAJgNMDPu46iGOugFKkQfscz7iItH4jAARWwhOjvup/LmLdgLdo92DiIB2P4N ba920aYS4NoEutH9IQ1RHKaOzFXbIFd4CS4ArN83uDjIRRsKN4YwNomAuv+N7ehd h/7PEsG6/a0nvjcmc+H4UjAM0Xv+LFlvFOG1lpKm8U6nxmYfK/vvk0yM2EwPCx6/ Ugh7xkde3GXLXTpse30fTq1n3hL9I2fYf9FIWaa5SFzmP5eJHZPgI/vZQEzR0FTe DoXW9QOL8R0+9Zl5+1fissR6cht6+HCeK/hmCX65H24IGfz2Cyi6i7d6P83VQ0k2 s0Dr7cACMvYSZorYt2WRAoIBAQD46abjRVo0YQ4gNUWPwwwzFmOptJnkFKw9ywT7 KOFkEaOzbClrkguMNWFYAF9G33ewGKkNL5AeexWSdO18QaOPXSLElE0lnlNOV18b tv2T+cA7rCO8g766cXCSGS9ZRqPThX24ntBRHiIailjKOk3tQOX41CIqTZaaDxvg UMAg66KmSxfeA8sHKmzIA5KGWx8KWuoFjfms6hfPC4qLOUBEDrzYgdyrK6JOknX6 Q5A7/zid1LEm6OwVTdd0zm2hM/fvh++UTBhVGt4VAgcJCEOfKesGDpTIQwIUFYGw f5qfPjRbF6NNsnQCp2V78ZjwIIqhao9ooTekfo2H9u657WyNAoIBAQDtd27UeaU5 L+sne/avBWn0i1hFlD1I7xCS3BKrrq6+oG6SOOqE3CPNXbh3JgsE6GvV/y+bs/PA ktiNQRDibsOc1BDsJwovDawokP22fUh9M4r0DPQAiKbFJOAKQ5l2AIo6abqG+1q8 fkVyYD0qZpucz5sRcuW/DrFM9WozicmiXUm/d8VhzXyfS1NCepeDfYaw8EPYMK29 dbwLgsonE4PjTnPITL3hwHGXZimQcJPWKXB0Ee4dsPUJUa511ZzMzKXuepKujRNs 7kSBdVLzb5zsclt5B0thRqwLFdISL/YGRmK4AILHDNWz7q/r4kL9IvkRqonGl1Aj yq3F0Wyav1XlAoIBAAprBSAoC/F7SnMQp7uvpzgQLNWyiGpibx8a+zdj66MbleVx ln45G6Cfr1ZWlaZKviCxt4mkvvx3nFyH5lS4Dpd2h3kA2AXGDaiOwZ1QWGa0Ilad CtXeEcKN8u86fJ/Y9AxrXuq2QvPSNg00UykLra1LdRSoFFH+81m5XipSVuhJ1IHv TK1vLTU8klcAx0Y2VCND0N2wpo2VMq/oxMC1AbqXf1H0hX7okZ+GQ8fYwhWwxfbd Kxj80LzHiEgMR8xid3MgFmf3k2Ekgb0RW6gGH4Zu47ZaL+H94/1hNQ9lF9yoZtqV L7GV0YM27Gl2oDcUtZix9BSmAsUwws25CR7hEBUCggEBANxxnhJjJu2SvWM3IgbS KM1aukRFXCsjuygKYs675/6Q4nSdn6Bc2GOiWEdLqrkQpmLPdbu+b07bQ2rF902s 86zX9Sm1CDAsKiCykMTjQvLvcVQj3jPMp7ymAdGldYXk9G1Lj1wVZONM+V03WDDP djA5TcQB/KPDmPZPcRqNFADFR1wWbMbhQoqCG7XAJn1rfykssl60ueUCseGhtdZW uH3Aa52LGE7FHu4kaftrduI+L+Wga4NmreLL0AAVoG1CodtkMF0YG+touXHQn4Pb njql4qLVEbYpLDdSN2So32Rt3ODhoIX2NUDHGMsKjZN+7ubmgOY5u6yuT2kvg/mY G70CggEANwi4GCTA3wgUq8lDAh2HhaRxp2OBL64cu5JSYW7V+wDywo7hLJYrHy/1 Pjq1aQN6min1c7MvASoFHnM1WJK3bcbQFa0Avpk4f88wLoTbsw15HpuD5GeAMjB6 O3Jl7eMZ3ZJzX5m1twdQgBoCheC0ENAEjxNbw0sr3y7jw9sp5Z/nUck+FsRVLV31 OdMCWhOiDipxnyqZxYWZmmU/secuTjFecIWad0W5ys7lnzCL8wDGL8+ImKQJSa53 g2qxlqNMo329z+dvhLxxLjy1xiCQh1479w+HMtau5chOE78JxgJGDC7wQoX41H6P jM4F8+WkAgd+Do4SYPH5bBpSf+V6FA== -----END PRIVATE KEY----- ```rabbitmq.conflike this:Expected behavior
Not triggering a HTTP 500 and not listing the certificate as being about to expire.
Additional context
No response