Comments (3)
The path could not be validated because the end-entity certificate revocation checks failed: OCSP response is from after the validation time; CRL is from after the validation time
This error message explains the problem: your system time falls outside (in this case, before) the validation window of the CRL / OCSP responses that were fetched. With CRLs, that's a little unusual, but it's a somewhat common issue with OCSP responders. Usually, it's caused by clock drift (or perhaps bad timezone handling on the server end).
There are two settings in the config file that may be useful to you:
- There's a top-level config key called
time-tolerance
that takes a value in seconds (the default is 10s). The larger this value is, the more clock drift will be tolerated. - Similarly, there's a top-level config flag called
retroactive-revinfo
(boolean value, defaultFalse
) that will cause pyHanko to ignore all lower bounds on CRL / OCSP validity windows. It's not really intended for use in this scenario, but if settingtime-tolerance
doesn't work, this probably will.
Currently, these two options are only documented in pyhanko-certvalidator
docstrings, not in the CLI documentation. I should probably do something about that.
from pyhanko.
OK, but how to set up these above in the config file and how to create that config file?
from pyhanko.
They're both top-level settings in the general YAML config file; the same file as the one containing your PKCS#11 settings.
I'd look something like
time-tolerance: 100
retroactive-revinfo: true
pkcs11-setups:
... # PCKS#11 settings go here
# whatever other settings you need go here
from pyhanko.
Related Issues (20)
- [pyhanko-certvalidator] Ability to skip nonce validation in OCSP response HOT 3
- Expose encryption dictionary in PdfFileReader as instance variable HOT 9
- The Coordinates Not Set Properly HOT 3
- LICENSE.PyPDF2 missing from wheel distributions HOT 3
- Add digital signature is broken for PDF file larger than 100 000 000 bytes HOT 3
- Xrefs disable
- Support of 64bit PKCS#11 libraries (drivers) HOT 4
- Support of non-English aplphabet (e.g. UTF-8) in stamp-text HOT 1
- libcrypto.so.3: undefined symbol: C_GetFunctionList' HOT 2
- PKCS11: identifiying signing key HOT 4
- hardware token pkcs11.exceptions.NoSuchKey after upgrading to 0.23.0 HOT 3
- CLI: Signing produces name from certificate without international characters HOT 1
- PDF signing breaks if no fields object in Acroform HOT 2
- ValueError: invalid literal for int() with base 10: '' while signing file
- ValueError("Invalid padding bytes.") when trying to decrypt Adobe.PubSec encrypted pdf file HOT 15
- Signature invisible in Adobe Reader but visible in other viewers HOT 7
- Certvalidator report crl as good with one trust root, but invalid with two roots HOT 2
- Support for PQC algs HOT 4
- How to get custom text in sign HOT 1
- SimpleSigner.load_pkcs12() passphrase utf-8 character error HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pyhanko.