From 4897eae979f8d0b73b1d01116acb22b2b7bd68f3 Mon Sep 17 00:00:00 2001 From: Eero af Heurlin Date: Sat, 23 Mar 2024 15:21:00 +0200 Subject: [PATCH 1/2] minimum viable lifetime is 1h or rounding in the ocsp responder will mess things up --- src/ocsprest/config.py | 2 ++ src/ocsprest/helpers.py | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/ocsprest/config.py b/src/ocsprest/config.py index 65e7b78..0baa49e 100644 --- a/src/ocsprest/config.py +++ b/src/ocsprest/config.py @@ -46,6 +46,8 @@ class RESTConfig(BaseSettings): description="Location to dump the DER CRL to, .PEM version will also be created", default="/ca_public/crl.der" ) crl_lifetime: str = Field(description="Lifetime to pass to CFSSL", default="1800s") + # OCSP responder rounds the response nextupdate in funky ways so less than 1h will lead to weird results + ocsp_lifetime: str = Field(description="Lifetime to pass to CFSSL", default="1h") crl_refresh: int = Field(description="Interval to dump CRL via out background task", default=900) ci: bool = Field(default=False, alias="CI", description="Are we running in CI") diff --git a/src/ocsprest/helpers.py b/src/ocsprest/helpers.py index a7ebc89..14a2a92 100644 --- a/src/ocsprest/helpers.py +++ b/src/ocsprest/helpers.py @@ -135,7 +135,7 @@ async def refresh_oscp() -> int: f"-ca-key {cnf.cakey}", f"-responder {cnf.respcrt}", f"-responder-key {cnf.respkey}", - f"-interval {cnf.crl_lifetime}", + f"-interval {cnf.ocsp_lifetime}", f"-loglevel {cfssl_loglevel()}", ] cmd = " ".join(args) From a68d17bfab71befa6c6750aa493cefcde1a808d2 Mon Sep 17 00:00:00 2001 From: Eero af Heurlin Date: Sat, 23 Mar 2024 15:25:22 +0200 Subject: [PATCH 2/2] bump version --- .bumpversion.cfg | 2 +- pyproject.toml | 2 +- src/ocsprest/__init__.py | 2 +- tests/test_ocsprest.py | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.bumpversion.cfg b/.bumpversion.cfg index ed4fa1e..ff00885 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -1,5 +1,5 @@ [bumpversion] -current_version = 1.0.2 +current_version = 1.0.3 commit = False tag = False diff --git a/pyproject.toml b/pyproject.toml index 2a4709a..40086ab 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "ocsprest" -version = "1.0.2" +version = "1.0.3" description = "" authors = ["Eero af Heurlin "] readme = "README.rst" diff --git a/src/ocsprest/__init__.py b/src/ocsprest/__init__.py index 8939b71..af81f34 100644 --- a/src/ocsprest/__init__.py +++ b/src/ocsprest/__init__.py @@ -1,2 +1,2 @@ """Quick and dirty rest API to call the ocsp signing methods for CFSSL CLI""" -__version__ = "1.0.2" +__version__ = "1.0.3" diff --git a/tests/test_ocsprest.py b/tests/test_ocsprest.py index 017aaf9..7c3dbdb 100644 --- a/tests/test_ocsprest.py +++ b/tests/test_ocsprest.py @@ -10,7 +10,7 @@ def test_version() -> None: """Make sure version matches expected""" - assert __version__ == "1.0.2" + assert __version__ == "1.0.3" def test_healthcheck(client: TestClient) -> None: