Page MenuHomePhabricator

ocsp updater: handle openssl "trylater" and similar more-gracefully
Closed, ResolvedPublic

Description

When the ocsp updater script runs into certain openssl error-responses, it's confused as to what exactly the problem is and doesn't fail until a much later step. OpenSSL is partly to blame here for returning exit status zero in these cases (IMHO), but either way we should deal with these cases properly and error out immediately instead of proceeding with further validation checks that are destined to fail.

Event Timeline

BBlack claimed this task.
BBlack raised the priority of this task from to Medium.
BBlack updated the task description. (Show Details)
BBlack added a project: Traffic.
BBlack added a subscriber: BBlack.
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Change 232873 had a related patch set uploaded (by BBlack):
update-ocsp: refactor validation, check cert life

https://gerrit.wikimedia.org/r/232873

Change 232873 merged by BBlack:
update-ocsp: refactor validation, check cert life

https://gerrit.wikimedia.org/r/232873