fix: cert_status reports valid certs as EXPIRED when the chain can't be verified (closes #881)#1270
Open
JamBalaya56562 wants to merge 1 commit into
Open
Conversation
buchdag
force-pushed
the
fix/cert-status-false-expired
branch
from
91e2fb4 to
cd70f17
Compare
buchdag
requested changes
Jun 19, 2026
…ilure cert_status ran `openssl verify` and labelled ANY failure as EXPIRED. But verify also fails when a trust anchor in the chain is expired (e.g. DST Root CA X3) while the leaf certificate is still valid, so valid certs were wrongly shown as EXPIRED (nginx-proxy#881). Determine expiry from the leaf's own notAfter (openssl x509 -checkend): if the leaf is still valid but the chain can't be verified, report "OK (chain verification failed)" instead of EXPIRED. Genuinely expired certs are still reported EXPIRED. Closes nginx-proxy#881 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
JamBalaya56562
force-pushed
the
fix/cert-status-false-expired
branch
from
cd70f17 to
64ebb5c
Compare
Contributor
Author
|
Good point — dropped the test and kept just the |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
/app/cert_statusno longer reports a still-valid certificate asEXPIREDjust because its chain fails to verify.Why
cert_statusranopenssl verify -untrusted chain.pem fullchain.pemand labelled any failure asEXPIRED:But
openssl verifyalso fails when a trust anchor in the chain has expired (the classic DST Root CA X3 expiry, Sep 2021) even though the leaf certificate itself is still valid. Users with valid, freshly-renewed certificates saw them reported asEXPIRED(#881), which is misleading (the certificate/renewal logic itself was fine).How
Determine expiry from the leaf certificate's own
notAfterusingopenssl x509 -checkend 0, rather than treating a chain-verification failure as expiry:openssl verifysucceeds →OK(unchanged).OK (chain verification failed)(was wronglyEXPIRED).EXPIRED(unchanged).Added
test/tests/cert_status/— a deterministic test (no ACME server needed) that generates a valid self-signed cert (chain unverifiable) and an expired one, and asserts the valid one is not reportedEXPIREDwhile the expired one is.Testing
cert_statustest passes locally and is registered intest/config.sh+ the CI matrix.... OK (chain verification failed)/Certificate is valid until …... EXPIRED/Certificate was valid until …shellcheckclean on the modified script and the new test.Closes #881
🤖 Generated with Claude Code