The path could not be validated because the end-entity certificate revocation checks failed.

[satanu01]

--with-validation-info not working and internet was well connected. (Single document sign validation well working in Adobe Reader)

C:\Users\Satanu\Desktop\signfield>pyhanko --verbose sign addsig --field chairman --with-validation-info --style-name backlogo pkcs11 --p11-setup test-setup Degree1.pdf outputtest1.pdf
2021-07-15 17:59:22,964 - root - DEBUG - Running with --verbose
2021-07-15 17:59:22,965 - root - DEBUG - Finished reading configuration from pyhanko.yml.
2021-07-15 17:59:25,833 - urllib3.connectionpool - DEBUG - Starting new HTTP connection (1): ocvs.pantasign.com:80
2021-07-15 17:59:26,435 - urllib3.connectionpool - DEBUG - http://ocvs.pantasign.com:80 "POST / HTTP/1.1" 200 3298
2021-07-15 17:59:26,452 - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): www.pantasign.com:443
2021-07-15 17:59:27,359 - urllib3.connectionpool - DEBUG - https://www.pantasign.com:443 "GET /repository/PantaSignCRL.crl HTTP/1.1" 200 699013
2021-07-15 17:59:28,714 - pyhanko.cli - ERROR - Error raised while producing signed file.
Traceback (most recent call last):
  File "C:\Users\Satanu\AppData\Local\Programs\Python\Python39\lib\site-packages\pyhanko-0.7.0.dev1-py3.9.egg\pyhanko\sign\signers.py", line 2320, in sign_pdf
    signer_cert_validation_path = validator.validate_usage(
  File "C:\Users\Satanu\AppData\Local\Programs\Python\Python39\lib\site-packages\pyhanko_certvalidator\__init__.py", line 211, in validate_usage
    self._validate_path()
  File "C:\Users\Satanu\AppData\Local\Programs\Python\Python39\lib\site-packages\pyhanko_certvalidator\__init__.py", line 146, in _validate_path
    raise exceptions[0]
  File "C:\Users\Satanu\AppData\Local\Programs\Python\Python39\lib\site-packages\pyhanko_certvalidator\__init__.py", line 139, in _validate_path
    validate_path(self._context, candidate_path, self._params)
  File "C:\Users\Satanu\AppData\Local\Programs\Python\Python39\lib\site-packages\pyhanko_certvalidator\validate.py", line 70, in validate_path
    return _validate_path(validation_context, path, parameters=parameters)
  File "C:\Users\Satanu\AppData\Local\Programs\Python\Python39\lib\site-packages\pyhanko_certvalidator\validate.py", line 592, in _validate_path
    _check_revocation(
  File "C:\Users\Satanu\AppData\Local\Programs\Python\Python39\lib\site-packages\pyhanko_certvalidator\validate.py", line 817, in _check_revocation
    raise PathValidationError(pretty_message(
pyhanko_certvalidator.errors.PathValidationError: The path could not be validated because the end-entity certificate revocation checks failed: OCSP response is from after the validation time; CRL is from after the validation time

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Users\Satanu\AppData\Local\Programs\Python\Python39\lib\site-packages\pyhanko-0.7.0.dev1-py3.9.egg\pyhanko\cli.py", line 74, in pyhanko_exception_manager
    yield
  File "C:\Users\Satanu\AppData\Local\Programs\Python\Python39\lib\site-packages\pyhanko-0.7.0.dev1-py3.9.egg\pyhanko\cli.py", line 910, in _sign_pkcs11
    generic_sign_pdf(
  File "C:\Users\Satanu\AppData\Local\Programs\Python\Python39\lib\site-packages\pyhanko-0.7.0.dev1-py3.9.egg\pyhanko\cli.py", line 787, in generic_sign_pdf
    result = signers.PdfSigner(
  File "C:\Users\Satanu\AppData\Local\Programs\Python\Python39\lib\site-packages\pyhanko-0.7.0.dev1-py3.9.egg\pyhanko\sign\signers.py", line 2324, in sign_pdf
    raise SigningError(
pyhanko.sign.general.SigningError: ("The signer's certificate could not be validated", PathValidationError('The path could not be validated because the end-entity certificate revocation checks failed: OCSP response is from after the validation time; CRL is from after the validation time'))
Error: Error raised while producing signed file.

Need help.. pls!

[MatthiasValvekens]

The path could not be validated because the end-entity certificate revocation checks failed: OCSP response is from after the validation time; CRL is from after the validation time

This error message explains the problem: your system time falls outside (in this case, before) the validation window of the CRL / OCSP responses that were fetched. With CRLs, that's a little unusual, but it's a somewhat common issue with OCSP responders. Usually, it's caused by clock drift (or perhaps bad timezone handling on the server end).

There are two settings in the config file that may be useful to you:

• There's a top-level config key called time-tolerance that takes a value in seconds (the default is 10s). The larger this value is, the more clock drift will be tolerated.
• Similarly, there's a top-level config flag called retroactive-revinfo (boolean value, default False) that will cause pyHanko to ignore all lower bounds on CRL / OCSP validity windows. It's not really intended for use in this scenario, but if setting time-tolerance doesn't work, this probably will.

Currently, these two options are only documented in pyhanko-certvalidator docstrings, not in the CLI documentation. I should probably do something about that.

[satanu01]

OK, but how to set up these above in the config file and how to create that config file?

[MatthiasValvekens]

They're both top-level settings in the general YAML config file; the same file as the one containing your PKCS#11 settings.

I'd look something like

time-tolerance: 100
retroactive-revinfo: true

pkcs11-setups:
   ...  # PCKS#11 settings go here

# whatever other settings you need go here