Open andrewrynhard opened 4 years ago
When a client submits an invalid client certificate (e.g. expired), the termination happens early in the TLS handshake before any application layer is established, so returning a descriptive error is impossible I believe.
What can be done - is client-side check for an expired cert, this will be more user-friendly, but this should be a warning imho to account for clock skew.
@smira It might, at least, be worthwhile to have an insecure-accessable endpoint to pull node-time though. So we can actually check which of the two is out-of-sync. (which can happen, for example, with unreachable ntp servers)
Bug Report
Description
I'm not sure if this is due to our proxy out of this is a gRPC thing, but an opaque "connection refused error" is returned to the client on a system with an expired certificate. We should fix this.
Logs
Environment
talosctl version --nodes <problematic nodes>
]kubectl version --short
]