New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
failing enveloping-expired-cert with "certificate is not yet valid" #280
Comments
The error message is correct when I run it on my environment and in CI: /home/aleksey/dev/xmlsec/apps/xmlsec1 verify --X509-skip-strict-checks --crypto openssl --crypto-config /tmp/xmlsec-crypto-config --trusted-der /home/aleksey/dev/xmlsec/tests/keys/cacert.der --enabled-key-data x509 --verification-time 2014-05-25+00:00:00 /home/aleksey/dev/xmlsec/tests/aleksey-xmldsig-01/enveloping-expired-cert.xml |
Knowing libxmlsec is completely blameless since it's clearly proven in the CI output, and not intending to indicate that there might be the slightest error in the code, can you provide your openssl library version? Mine is 1.1.1c and I wonder if the problem on my environment, again, completely not your problem, could be caused by a different openssl library? |
You have source code. Put the breakpoint around the issuance check and see what openssl returns. |
@lsh123 This test fails for me with |
Bug: lsh123/xmlsec#280 Reported-by: James Beddek <telans@posteo.de> Signed-off-by: Sam James <sam@gentoo.org>
Sure |
Fixed by adding (and using) --verification-gmt-time option for xmlsec1 tool |
Very excited, testing soon! |
Using the master branch newly checked out.
make check
has:So I manually run the test and noticed the message: "certificate is not yet valid" (it's at the bottom of the first line of the command line output, scroll to see)
if I add one year to
--verification-time 2014-05-24+00:00:00
and use--verification-time 2015-05-24+00:00:00
then the output is a more reasonable "certificate has expired"I know the default answer might be something like "it passed CI so it must have been your environment". I'm just consulting on where to look, not assuming the code is broken or that the problem is not my environment. My theory was that perhaps the test certificate bumped a year while the test cases didn't, but that can't explain why it then passed CI.
The text was updated successfully, but these errors were encountered: