You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Background. Customer is running code to test registering/enrolling operations on a daily basis. Failures began occurring after re-enrollments and could only be corrected by restarting the CA.
Log snippet from the CA:
2022-06-22T05:00:05.813188931Z 2022/06/22 05:00:05 [INFO] signed certificate with serial number 227295963368738719576295504100228910397990236259
2022-06-22T05:00:05.856018279Z 2022/06/22 05:00:05 [INFO] 172.30.14.166:60118 POST /api/v1/reenroll 201 0 "OK"
2022-06-22T05:00:06.047488264Z 2022/06/22 05:00:06 [INFO] signed certificate with serial number 443761956686633821028606532772396696503568673733
2022-06-22T05:00:06.099787377Z 2022/06/22 05:00:06 [INFO] 172.30.14.166:60120 POST /api/v1/reenroll 201 0 "OK"
2022-06-22T05:00:06.192780584Z 2022/06/22 05:00:06 [INFO] 172.30.16.22:49800 POST /api/v1/register 401 26 "Untrusted certificate: Failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2021-06-28T12:58:30Z is before 2021-11-18T08:08:00Z"
2022-06-22T05:23:28.755945128Z 2022/06/22 05:23:28 [INFO] 172.30.16.22:47926 POST /api/v1/register 401 26 "Untrusted certificate: Failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2021-06-28T12:58:30Z is before 2021-11-18T08:08:00Z"
Note in the log that when attempting to register a user, it fails with an error indicating that the current time is in the past.
This is related to the recent change to add "reenrollignorecertexpiry" to the configuration.
In fabric-ca/lib/serverrequestcontext.go:
reenrollIgnoreCertExpiry := ctx.endpoint.Path == "reenroll" && ctx.ca.Config.CA.ReenrollIgnoreCertExpiry
// Make sure the caller's cert was issued by this CA
err2 = ca.VerifyCertificate(cert, reenrollIgnoreCertExpiry)
if err2 != nil {
return "", caerrors.NewAuthenticationErr(caerrors.ErrUntrustedCertificate, "Untrusted certificate: %s", err2)
}
The reenrollIgnoreCertExpiry is set only for "reenroll".
In fabric-ca/lib/ca.go:
func (ca *CA) VerifyCertificate(cert *x509.Certificate, forceTime bool) error {
log.Debugf("Certicate Dates: NotAfter = %s NotBefore = %s \n", cert.NotAfter.String(), cert.NotBefore.String())
opts, err := ca.getVerifyOptions()
if err != nil {
return errors.WithMessage(err, "Failed to get verify options")
}
// force check time to be 30 seconds after certificate start time to ensure expiry doesn't get flagged
// this is one of the checks that is made on the certificate in Verify()
if forceTime {
opts.CurrentTime = cert.NotBefore.Add(time.Duration(time.Second * 30))
}
The opts.CurrentTime is reset to an offset time, but only for re-enrollments.
The getVerifyOptions returns the current options is they already exist.
func (ca *CA) getVerifyOptions() (*x509.VerifyOptions, error) {
if ca.verifyOptions != nil {
return ca.verifyOptions, nil
}
The problem is there is nothing that resets the opts.CurrentTime.
The text was updated successfully, but these errors were encountered:
Background. Customer is running code to test registering/enrolling operations on a daily basis. Failures began occurring after re-enrollments and could only be corrected by restarting the CA.
Log snippet from the CA:
Note in the log that when attempting to register a user, it fails with an error indicating that the current time is in the past.
This is related to the recent change to add "reenrollignorecertexpiry" to the configuration.
In fabric-ca/lib/serverrequestcontext.go:
The reenrollIgnoreCertExpiry is set only for "reenroll".
In fabric-ca/lib/ca.go:
The opts.CurrentTime is reset to an offset time, but only for re-enrollments.
The getVerifyOptions returns the current options is they already exist.
The problem is there is nothing that resets the opts.CurrentTime.
The text was updated successfully, but these errors were encountered: