Fetch-CRL spams when CRL out-of-date (bugzilla bug #50)
Unfortunately, IGTF CAs are not always able to keep their CRL valid; specifically, sometimes they fail to create a new CRL before the existing CRL expires.
paul@celebrimbor:~$ curl -s $(cat /etc/grid-security/certificates/BYGCA.crl_url) |\
openssl crl -inform der -CApath /etc/grid-security/certificates -noout -issuer -lastupdate -nextupdate verify OK issuer=DC = by, DC = grid, O = uiip.bas-net.by, CN = Belarusian Grid Certification Authority lastUpdate=Jun 18 08:13:41 2020 GMT nextUpdate=Jul 18 08:13:41 2020 GMT paul@celebrimbor:
$ date Mon 20 Jul 10:50:44 CEST 2020 paul@celebrimbor:$
When this happens, fetch-crl issues a warning that the downloaded CRL is out-of-date, and so invalid.
This warning is certainly reasonable; however, fetch-crl issues a warning for each run. By default, this happens four times per day, generating unnecessary noise.
My preference would be for fetch-crl to issues warnings when the CRL validity status changes (valid --> invalid; invalid --> valid).
In addition, at a lower rate, fetch-crl might issue a warning if the problem persists. For example, fetch-crl could issue a warning if a CRL is still invalid after one week, and after two weeks, etc.