Page MenuHomePhabricator
Create Task
Maniphest T109737

ocsp updater: handle openssl "trylater" and similar more-gracefully
Closed, ResolvedPublic
Actions

Description

When the ocsp updater script runs into certain openssl error-responses, it's confused as to what exactly the problem is and doesn't fail until a much later step. OpenSSL is partly to blame here for returning exit status zero in these cases (IMHO), but either way we should deal with these cases properly and error out immediately instead of proceeding with further validation checks that are destined to fail.

Details

SubjectRepoBranchLines +/-
update-ocsp: refactor validation, check cert lifeoperations/puppetproduction+96 -51
Customize query in gerrit

Related Objects
Search...

Event Timeline

BBlack created this task.Aug 20 2015, 5:07 PM
BBlack claimed this task.
BBlack raised the priority of this task from to Medium.
BBlack updated the task description. (Show Details)
BBlack added a project: Traffic.
BBlack subscribed.
Restricted Application added a project: acl*sre-team. · View Herald TranscriptAug 20 2015, 5:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
BBlack added a parent task: T109740: ocsp updater: re-enable automatic updates.Aug 20 2015, 5:15 PM
greg added a project: Incident-20150820-OCSP.Aug 20 2015, 5:48 PM
greg set Security to None.
Restricted Application added a subscriber: Matanya. · View Herald TranscriptAug 20 2015, 5:48 PM
gerritbot subscribed.Aug 21 2015, 12:04 AM

Change 232873 had a related patch set uploaded (by BBlack):
update-ocsp: refactor validation, check cert life

https://gerrit.wikimedia.org/r/232873

gerritbot added a project: Patch-For-Review.Aug 21 2015, 12:04 AM
gerritbot added a comment.Aug 21 2015, 12:15 AM

Change 232873 merged by BBlack:
update-ocsp: refactor validation, check cert life

https://gerrit.wikimedia.org/r/232873

BBlack mentioned this in rOPUP367653244eeb: update-ocsp: refactor validation, check cert life.Aug 21 2015, 12:15 AM
BBlack closed this task as Resolved.Aug 21 2015, 12:32 AM
BBlack moved this task from Backlog to Done on the Traffic board.Aug 27 2015, 2:41 AM
BBlack mentioned this in T93927: Make OCSP Stapling support more generic and robust.Oct 3 2016, 1:28 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL