Project

General

Profile

Bug #26458

Smart Proxy lists valid certificates as expired

Added by Alex Fisher 9 months ago. Updated 8 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
PuppetCA
Target version:
-
Difficulty:
trivial
Triaged:
No
Bugzilla link:

Description

The logic in the new puppetca http api implementation is wrong (when using puppetserver >= 6.3)

The new puppetserver API doesn't return whether a certificate has expired or not. It returns a state of `requested`, `signed` or `revoked` and (since puppetserver 6.3), `not_before` and `not_after`. Clients, (such as the smart-proxy), are required to work out whether a `signed` certificate is expired or not based on the `not_before` and `not_after` dates.

Foreman expects a certificate to be `valid`, `revoked`, or `pending`. The smart-proxy should return `valid` for `signed` certificates that haven't expired, and `revoked` for those that have. It is currently returning `revoked` for non-expired certificates and `valid` for those that have expired.

Associated revisions

Revision ea0ca790 (diff)
Added by Alex Fisher 9 months ago

fixes #26458 - Fix expired certificate logic

Since the release of puppetserver 6.3, valid certificates were being
listed as `revoked`. This commit fixes the logic that compares the
new `not_after` field returned by the Puppet Server 6.3 API with the
current time.

History

#1 Updated by The Foreman Bot 9 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/smart-proxy/pull/644 added

#2 Updated by Alex Fisher 9 months ago

  • Status changed from Ready For Testing to Closed

#3 Updated by Tomer Brisker 8 months ago

  • Fixed in Releases 1.22.0 added

Also available in: Atom PDF