Resolve `certificate with CN ABC DEF is near expiry` messages

Question

Resolve `certificate with CN ABC DEF is near expiry` messages

Closed this issue 8 years ago · 4 comments

linuxkit/kubernetes#62 is the most recent instance of a user reporting the "certificate... is near expiry" messages:

WARN[0003] certificate with CN Justin Cormack is near expiry
WARN[0003] certificate with CN  is near expiry
WARN[0003] certificate with CN  is near expiry
WARN[0003] certificate with CN avi@atomicinc.com is near expiry
WARN[0003] certificate with CN Ian Campbell is near expiry
WARN[0004] certificate with CN  is near expiry
WARN[0004] certificate with CN  is near expiry
WARN[0004] certificate with CN avi@atomicinc.com is near expiry
WARN[0004] certificate with CN Ian Campbell is near expiry
WARN[0004] certificate with CN Justin Cormack is near expiry
WARN[0004] certificate with CN Justin Cormack is near expiry

Although these are benign (until the key actually expires) we should figure out what to do about them, either short or long term. For now this issue can serve as a place to point users who are concerned.

Answer 1 · 2018-02-13T13:43:40.000Z

The longer term solution is that apparently they will go away with Notary 0.6 which is out soon...

Answer 2 · 2018-02-13T13:45:40.000Z

What is the behaviour of pulling an image which was signed with a now expired certificate going to be?

Is removing the message sufficient or do we also need to rotate our signatures?

Answer 3 · 2018-02-13T13:47:58.000Z

I believe the message is just referring to the timestamp signatures that are automatically rotated on hub, so we dont need to do anything.

Answer 4 · 2018-03-07T21:08:28.000Z

fixed via #2951

closing