Expired certs error return connection refused

siderolabs / talos

Talos Linux is a modern Linux distribution built for Kubernetes.

https://www.talos.dev

Mozilla Public License 2.0

6.32k stars 507 forks source link

Expired certs error return connection refused #2110

Open andrewrynhard opened 4 years ago

andrewrynhard commented 4 years ago

Bug Report

Description

I'm not sure if this is due to our proxy out of this is a gRPC thing, but an opaque "connection refused error" is returned to the client on a system with an expired certificate. We should fix this.

Logs

Environment

Talos version: [talosctl version --nodes <problematic nodes>]
Kubernetes version: [kubectl version --short]
Platform:

smira commented 1 year ago

When a client submits an invalid client certificate (e.g. expired), the termination happens early in the TLS handshake before any application layer is established, so returning a descriptive error is impossible I believe.

What can be done - is client-side check for an expired cert, this will be more user-friendly, but this should be a warning imho to account for clock skew.

PrivatePuffin commented 1 month ago

@smira It might, at least, be worthwhile to have an insecure-accessable endpoint to pull node-time though. So we can actually check which of the two is out-of-sync. (which can happen, for example, with unreachable ntp servers)