Hi there! Got an obscure bug I could use a pointer or two developing. Here's the synopsis:
I'm running a frontend using the golang autocert package, in order to provision certs just-in-time for user-supplied domain names.
It mostly works, however I see an issue for the very first request: Chrome on Mac will display the certificate as invalid for the rest of the session; and Safari on Mac will display it as invalid for just that request. Example from Safari:
Inspecting the cert chain in the UI shows everything is valid.
I'm wondering if this comes down to some sort of expected client/server race condition with local time and
NotBefore of the issued certs. If that's the case, I am guessing this comes down to the consequences of JIT provisioning & imperfect client clocks. I can think of three possible solutions:
- Ask LetsEncrypt for an earlier
NotBeforetimestamp. (Probably not allowed, for good reason..?)
- Provision the cert as early as possible, ahead of any real customer request (i.e. avoid JIT).
- Add an artificial extra delay on first response (eg delay 5 seconds = we can tolerate clients whose clocks are up to 5sec slow).
Any general recommendations are welcome. Thanks!