Foreman » Smart Proxy

The logic in the new puppetca http api implementation is wrong (when using puppetserver >= 6.3)

The new puppetserver API doesn't return whether a certificate has expired or not. It returns a state of `requested`, `signed` or `revoked` and (since puppetserver 6.3), `not_before` and `not_after`. Clients, (such as the smart-proxy), are required to work out whether a `signed` certificate is expired or not based on the `not_before` and `not_after` dates.

Foreman expects a certificate to be `valid`, `revoked`, or `pending`. The smart-proxy should return `valid` for `signed` certificates that haven't expired, and `revoked` for those that have. It is currently returning `revoked` for non-expired certificates and `valid` for those that have expired.