Bug #26458
Smart Proxy lists valid certificates as expired
Description
The logic in the new puppetca http api implementation is wrong (when using puppetserver >= 6.3)
The new puppetserver API doesn't return whether a certificate has expired or not. It returns a state of `requested`, `signed` or `revoked` and (since puppetserver 6.3), `not_before` and `not_after`. Clients, (such as the smart-proxy), are required to work out whether a `signed` certificate is expired or not based on the `not_before` and `not_after` dates.
Foreman expects a certificate to be `valid`, `revoked`, or `pending`. The smart-proxy should return `valid` for `signed` certificates that haven't expired, and `revoked` for those that have. It is currently returning `revoked` for non-expired certificates and `valid` for those that have expired.
Associated revisions
History
#1
Updated by The Foreman Bot about 4 years ago
Updated by - Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/smart-proxy/pull/644 added
#2
Updated by Alex Fisher about 4 years ago
Updated by - Status changed from Ready For Testing to Closed
Applied in changeset ea0ca79087bae926a17b9117a12e0f89915b7a4a.
#3
Updated by Tomer Brisker almost 4 years ago
Updated by - Fixed in Releases 1.22.0 added
fixes #26458 - Fix expired certificate logic
Since the release of puppetserver 6.3, valid certificates were being
listed as `revoked`. This commit fixes the logic that compares the
new `not_after` field returned by the Puppet Server 6.3 API with the
current time.