Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use UTC for leaf exceeding CA's notAfter #18984

Merged
merged 2 commits into from
Feb 3, 2023
Merged

Use UTC for leaf exceeding CA's notAfter #18984

merged 2 commits into from
Feb 3, 2023

Conversation

cipherboy
Copy link
Contributor

When generating a leaf which exceeds the CA's validity period, Vault's error message was confusing as the leaf would use the server's time zone, but the CA's notAfter date would use UTC. This could cause user confusion as the leaf's expiry might look before the latter, due to using different time zones. E.g.:

cannot satisfy request, as TTL would result in notAfter
2023-03-06T16:41:09.757694-08:00 that is beyond the expiration of
the CA certificate at 2023-03-07T00:29:52Z

Consistently use UTC for this instead.

Signed-off-by: Alexander Scheel <[email protected]>

Reported by @hellobontempo, thanks! :-)

@cipherboy
Use UTC for leaf exceeding CA's notAfter
caf9892 
When generating a leaf which exceeds the CA's validity period, Vault's
error message was confusing as the leaf would use the server's time
zone, but the CA's notAfter date would use UTC. This could cause
user confusion as the leaf's expiry might look before the latter, due
to using different time zones. E.g.:

> cannot satisfy request, as TTL would result in notAfter
> 2023-03-06T16:41:09.757694-08:00 that is beyond the expiration of
> the CA certificate at 2023-03-07T00:29:52Z

Consistently use UTC for this instead.

Signed-off-by: Alexander Scheel <[email protected]>
@cipherboy cipherboy added bug Used to indicate a potential bug secret/pki labels Feb 3, 2023
@cipherboy cipherboy added this to the 1.13.0-rc1 milestone Feb 3, 2023
@cipherboy
Add changelog entry
4e27cb0 
Signed-off-by: Alexander Scheel <[email protected]>
@cipherboy cipherboy enabled auto-merge (squash) February 3, 2023 16:46
@cipherboy cipherboy merged commit 780dcf1 into main Feb 3, 2023
@cipherboy cipherboy deleted the cipherboy-ttl-error-consistently branch April 21, 2023 13:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevendpclark stevendpclark stevendpclark approved these changes

@kitography kitography Awaiting requested review from kitography

@hellobontempo hellobontempo Awaiting requested review from hellobontempo

Assignees
No one assigned
Labels
bug Used to indicate a potential bug secret/pki
Projects
None yet
Milestone
1.13.0-rc1
Development

Successfully merging this pull request may close these issues.
2 participants
@cipherboy @stevendpclark