-
Notifications
You must be signed in to change notification settings - Fork 980
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 BUG: overall poor behavior with "not before" field in host certificate #1130
Comments
@lostmsu NotBefore is a standard certificate criteria. Allowing for time drift sort of defeats the purpose of it, IMO. We expect clocks to be properly timesync'd. This is also why it's listed as a dependency in the example service file. What's the use case for creating a certificate and then rolling back the system clock, as in your reproduction steps? Or, how are you encountering this problem in the real world? |
@johnmaguire in the real world the CA is on a different machine. I suppose the time it takes to generate certificate there, copy it to the client, and launch
That's why I suggested two other options. BTW, generating a certificate with NotBefore configurable to past might be needed not only because client won't start if its time is slightly behind, but also I am not sure what happens if client is up to date, but the node it is trying to connect to is slightly behind. Basically, I want to be able to have some reasonable grace period. E.g. when I say duration of the certificate is 24h, I don't see why NotBefore can't be -1m. Just checked time drift on a few of my PCs and it ranges from -25ms to almost +2s. |
@lostmsu Understood. We're investigating allowing users to specify overriding the NotBefore at signing time. That being said, in the meantime, enabling NTP on your machines should resolve time drift. |
@johnmaguire it is not as simple as that. The machines I ship certificates to are customer's machines, some of them Windows. Not even domain joined. |
Thanks Victor, that's the real world scenario I was looking for. This context is helpful when determining the best solution. :) |
What version of
nebula
are you using? (nebula -version
)1.8.2
What operating system are you using?
Windows
Describe the Bug
Repro steps:
Expected:
Some reasonable behavior, e.g. one of the
nebula-cert
setting "not before" to a few minutes prior to nownebula
prints a warning, waits for "not before", then resumes connectionnebula
returns a descriptive error message (preferably machine readable so the invoker can figure out "not before" value) and exits with some specific error codeActual:
Logs from affected hosts
Config files from affected hosts
Nothing special
The text was updated successfully, but these errors were encountered: