talos
talos copied to clipboard
siderolabs
Expired certs error return connection refused
Bug Report
Description
I'm not sure if this is due to our proxy out of this is a gRPC thing, but an opaque "connection refused error" is returned to the client on a system with an expired certificate. We should fix this.
Logs
Environment
- Talos version: [
talosctl version --nodes <problematic nodes>] - Kubernetes version: [
kubectl version --short] - Platform:
When a client submits an invalid client certificate (e.g. expired), the termination happens early in the TLS handshake before any application layer is established, so returning a descriptive error is impossible I believe.
What can be done - is client-side check for an expired cert, this will be more user-friendly, but this should be a warning imho to account for clock skew.
@smira It might, at least, be worthwhile to have an insecure-accessable endpoint to pull node-time though. So we can actually check which of the two is out-of-sync. (which can happen, for example, with unreachable ntp servers)
This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue was closed because it has been stalled for 7 days with no activity.