/ go Public
x/crypto/acme/autocert: new certificate rejected by Chrome client for 1h if client's clock is behind. #39638
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
What version of Go are you using (
Does this issue reproduce with the latest release?
What operating system and processor architecture are you using (
What did you do?
Chrome version: 83.0.4103.97
What did you expect to see?
Certificate won't get rejected, at least not for one hour.
I think the rejection can also happen when the visit is on a new renewal, but renewals often happen in the background, so it is slightly harder to hit the particular time window in a debug session.
What did you see instead?
Certificate got rejected for 1 hour.
to be fair, I think the root cause is on chrome browser side. I also filed the issue to chrome, and chrome marked it as won't fix:
so one mitigation
autocertcan have, is to have an config to optionally insert a sleeping delay after a certificate is issued and before the certificate can be returned to a
The text was updated successfully, but these errors were encountered: