When the ocsp updater script runs into certain openssl error-responses, it's confused as to what exactly the problem is and doesn't fail until a much later step. OpenSSL is partly to blame here for returning exit status zero in these cases (IMHO), but either way we should deal with these cases properly and error out immediately instead of proceeding with further validation checks that are destined to fail.
Description
Description
Details
Details
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
update-ocsp: refactor validation, check cert life | operations/puppet | production | +96 -51 |
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | BBlack | T109740 ocsp updater: re-enable automatic updates | |||
Resolved | BBlack | T109737 ocsp updater: handle openssl "trylater" and similar more-gracefully |
Event Timeline
Comment Actions
Change 232873 had a related patch set uploaded (by BBlack):
update-ocsp: refactor validation, check cert life