[tialaramex]

> I have only seen it pop-up once- for a cert that I had just issued a second prior. The cert was logged properly and the page loaded another second later.

Hmm. Possibly a timing issue? It is conventional to slightly "back date" certificates so that they claim to have been issued an hour ago, as obviously if users forgot to adjust a PC for the clocks changing your site should still work & it was seen as easier to just back date the certificates. However for SCTs because the log has a Maximum Merge Delay conventionally set to 24 hours - so such back dating gives you 1 hour less to fix any technical problems - if you miss that 24 hour deadline you're out and must start over. So we do not back date SCTs.

Thus if your system had the time slightly wrong (say, off by 10 seconds) but had Transparency checks enabled I can imagine it would reject a freshly issued cert because the certificate says it was issued almost an hour ago but the SCTs are in the near future.

[snailmailman]

Oh interesting. I didn’t realize certs get backdated a bit, but that makes a lot of sense. Interesting that the same isn’t done with SCTs.

I doubt my system time was off by 10 seconds, but I have seen it off by nearly a full second quite frequently. (I checked just now, 700ms behind?) I was checking it quite often via time.gov for a while, and I know the inaccuracy returns after each boot. Maybe my bios doesn’t keep milliseconds, leaving me at ~1s precision only. I suppose that’s probably fine most of the time, but I feel like it should be more precise. Depending on how much it drifts it could be drifting further...

In the case I saw this error, the cert did not exist until I requested the page. Caddy then handles cert creation on-demand and serves it immediately. It’s my own local server- so my latency to it is <1ms - there isn't much time for the cert to become-more-valid if its fresh. It seems likely that my PC fell behind the server enough that the cert wasn't valid for a second or more? I'm tempted to investigate, but right now I only have one cert that needs updating - and it seemed to reissue and load the page just now without issue. (But looking at the cert, I see what you mention - the cert got backdated but not the SCT.)

[snailmailman]

oh wow! yeah my clock sucks. checked again today - clock is incorrect by 5 entire seconds! its unclear why windows isn't resyncing and correcting it. had to manually click the button to sync time and its fixed again for now.

[cmeacham98]

More likely guess, given a refresh fixed it: there was a slight delay with the CT log and it hadn't started returning the precertificate yet.

[tialaramex]

The browser isn't talking to the CT log, nor to the CA. It's just looking at the documents it was given, typically the certificate for a single intermediate and then the certificate for server itself which has the SCTs baked inside it.

Suppose that you get a cert minted for your new server on 1st March at 14:56:09 UTC, the CA does a few checks, concludes this is OK and writes a to-be-signed certificate dated 1st March 13:56:11 UTC, then it mutates this tbsCert by adding poison (per the CT design) signs that and sends it to two CT logs shortly after, each CT log accepts this poisoned pre-cert and provides an SCT dated 1st March 14:56:15. The CA fastens these SCTs to the tbsCert it made before and signs all of that, which it provides back as a new certificate, this delivery completes at 14:56:21 only 12 seconds after you started and your server can use it immediately.

Unfortunately your PC's clock is 15 seconds slow, it still believes it is 14:56:06 and so when it tries to visit the web site and sees the SCTs with 14:56:15 on them those are from the future and not yet valid. A message is shown explaining that this isn't valid, you take a moment to read it and then try refreshing at what you believe (based on your PC clock) is 14:56:15. This time though it all works because now the documents are valid.