Mailing List Archive

From:: Theo Buehler <tb@theobuehler.org>
Subject:: Re: acme-client(8): Adapt renewal calculation for shortlived certificates.
To:: Job Snijders <job@openbsd.org>
Cc:: tech <tech@openbsd.org>
Date:: Wed, 17 Sep 2025 06:52:46 +0200

Download raw body.

Thread

2025-09-16 16:59 Lloyd:
acme-client(8): Adapt renewal calculation for shortlived certificates.
2025-09-16 23:27 Job Snijders:
acme-client(8): Adapt renewal calculation for shortlived certificates.
- 2025-09-17 04:52 Theo Buehler:
  acme-client(8): Adapt renewal calculation for shortlived certificates.
2025-09-18 12:20 Stuart Henderson:
acme-client(8): Adapt renewal calculation for shortlived certificates.
2025-09-22 14:38 Stuart Henderson:
acme-client(8): Adapt renewal calculation for shortlived certificates.

> > +	if (cert_validity < 0) {
> 
> maybe 'cert_validity <= 0' ?

< 0 is the correct check. The validity is a closed interval, possibly
degenerate. While we should not encounter them here, such certs do exist:

https://github.com/openbsd/src/commit/ee1b4e5ecf2dbfac6c847dec0a39c494b070bf1e

2025-09-16 16:59 Lloyd:
acme-client(8): Adapt renewal calculation for shortlived certificates.
2025-09-16 23:27 Job Snijders:
acme-client(8): Adapt renewal calculation for shortlived certificates.
- 2025-09-17 04:52 Theo Buehler:
  acme-client(8): Adapt renewal calculation for shortlived certificates.
2025-09-18 12:20 Stuart Henderson:
acme-client(8): Adapt renewal calculation for shortlived certificates.
2025-09-22 14:38 Stuart Henderson:
acme-client(8): Adapt renewal calculation for shortlived certificates.