nebula certificate expired but node always connected

[luisnodealert]

hi guys, i checked nebula certificate expired but node always connected only after nebula restart notices the expired certificate:
RRO[0000] Failed to load certificate from config error="nebula certificate for this host is expired"

[johnmaguire]

Hi @luisnodealert - it's true that nodes won't shut down if their own certificate expires. There is a bit of history in why this behavior exists the way it does.

Prior to v1.5.0, pki.disconnect_invalid did not exist, which meant that if a host's certificate expired, hosts which it had already handshaked with while its certificate was valid would continue to talk to the host. Now, when pki.disconnect_invalid is enabled, hosts will disconnect peers whose certificates expire. This is an optional flag.

For this reason, it would be detrimental to your network stability if a host shut itself down while it was still communicating with other hosts.

Perhaps you could share a bit about what you're hoping to achieve by having the host shut itself down early? It seems to me that in both cases you're going to struggle with network connectivity issues. Would a log message warning about an expired certificate prior to a shutdown/restart be helpful?

[luisnodealert]

so can i disable this feature?
It seems that nodes with expired certificates can continue to communicate for a long time.
a good idea is to disconnect the node when there is no more traffic and for a maximum time.

[johnmaguire]

@luisnodealert if you enable pki.disconnect_invalid on all of your hosts, they will tear tunnels down when their peer's host expires.

The host with an expired cert will not tear its own tunnels down, nor will it shut itself down as a result of its own certificate expiring.

[luisnodealert]

okay thanks.
if it was of great help ... for me it is important to block the node with expired certificate even if in a violent way..