-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCSP response cache is not updated in a timely manner #10632
Comments
This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach |
Any updates here? |
Would be interesting to know since we are facing the same problem since we use this feature. We are restarting our ingress very regularly because of this which is kind of annoying... |
The issue still persist, we have to manually restart the ingix-ingress controller every couple of hours just to refresh the response. An update on the problem would be much appreaciated! |
Do you have any letsencrypt certs ? If yes does the problem occur with the Letsencrypt certs as well ? |
At least in our case we're using QuoVadis Certificates |
/triage accepted @tao12345666333 @rikatz @Gacko @strongjz please comment as it seems that if this is limited to just changing the time period, then it will not be a complicated change. |
It should be the other way (the expiry should be shorter): |
Sorry for the long delay. Let me take a look this week /assign |
@tao12345666333 could you verify the issue, do you have some insights for us? |
What happened:
We are using ingress-nginx with the config value
"enable-ocsp": true
.In the beginning this works as expected, but the OCSP cache is not updated, when the response expires after 2 days:
Taken from openssl response on 08.Nov.2023 13:53 GMT:
What you expected to happen:
OCSP cache is updated before the expiry and the response is still valid.
NGINX Ingress controller version:
Kubernetes version:
Environment:
Cloud provider or hardware configuration: Azure, AKS
OS : Alpine Linux v3.17
Kernel : 5.15.0-1042-azure
Install tools: -
Basic cluster related info: See above
How was the ingress-nginx-controller installed: -
Current State of the controller: -
Current state of ingress object, if applicable: -
Others: -
How to reproduce this issue:
(Re-)Start Ingress-Nginx pods and wait until the OCSP response is expired.
Anything else we need to know:
Certificate provider: QuoVadis
It seems like the OSCP response is refreshed some time after the expiry (like a day after the expiry). As we just detected this issue I don't have an exact time so far.
The text was updated successfully, but these errors were encountered: