Page MenuHomePhabricator

ocsp updater: handle openssl "trylater" and similar more-gracefully
Closed, ResolvedPublic

Description

When the ocsp updater script runs into certain openssl error-responses, it's confused as to what exactly the problem is and doesn't fail until a much later step. OpenSSL is partly to blame here for returning exit status zero in these cases (IMHO), but either way we should deal with these cases properly and error out immediately instead of proceeding with further validation checks that are destined to fail.

Details

Related Gerrit Patches:

Event Timeline

BBlack created this task.Aug 20 2015, 5:07 PM
BBlack claimed this task.
BBlack raised the priority of this task from to Medium.
BBlack updated the task description. (Show Details)
BBlack added a project: Traffic.
BBlack added a subscriber: BBlack.
Restricted Application added a project: acl*sre-team. · View Herald TranscriptAug 20 2015, 5:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
greg set Security to None.
Restricted Application added a subscriber: Matanya. · View Herald TranscriptAug 20 2015, 5:48 PM

Change 232873 had a related patch set uploaded (by BBlack):
update-ocsp: refactor validation, check cert life

https://gerrit.wikimedia.org/r/232873

Change 232873 merged by BBlack:
update-ocsp: refactor validation, check cert life

https://gerrit.wikimedia.org/r/232873

BBlack closed this task as Resolved.Aug 21 2015, 12:32 AM
BBlack moved this task from Triage to Done on the Traffic board.Aug 27 2015, 2:41 AM