New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate CA Certificates that are valid for a bit further back in time (bug #1352944). #601
Conversation
See bug #1352944. We were generating certificates that were valid 5 minutes ago, to avoid problems with the clock on the client being out of sync with the clock on the server, but it seems 5 minutes isn't quite enough to account for real world clock skew. So bump it up to 1 week.
c.Assert(caCert.NotAfter.Equal(expiry), gc.Equals, true) | ||
c.Assert(caCert.BasicConstraintsValid, gc.Equals, true) | ||
c.Assert(caCert.IsCA, gc.Equals, true) | ||
c.Check(caKey, gc.FitsTypeOf, (*rsa.PrivateKey)(nil)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to see a comment what we're testing here (i.e. making sure the cert is valid for 1 week before "now").
LGTM, with a couple of comments where relevant to explain the expiration policy. |
Also, do the same work for Server and Client certs as well as the CA cert.
I added the comments, and I realized we want to update the CA Cert, but we also want to update the Server and Client certs, so I did so. |
|
Status: merge request accepted. Url: http://juju-ci.vapour.ws:8080/job/github-merge-juju |
Build failed: Tests failed |
|
Status: merge request accepted. Url: http://juju-ci.vapour.ws:8080/job/github-merge-juju |
Build failed: Tests failed |
|
Status: merge request accepted. Url: http://juju-ci.vapour.ws:8080/job/github-merge-juju |
Generate CA Certificates that are valid for a bit further back in time (bug #1352944). See bug #1352944. We were generating certificates that were valid 5 minutes ago, to avoid problems with the clock on the client being out of sync with the clock on the server, but it seems 5 minutes isn't quite enough to account for real world clock skew. So bump it up to 1 week.
See bug #1352944. We were generating certificates that were valid 5 minutes ago, to avoid
problems with the clock on the client being out of sync with the clock on the server, but
it seems 5 minutes isn't quite enough to account for real world clock skew. So bump it
up to 1 week.