The path could not be validated because the end-entity certificate revocation checks failed. about pyhanko HOT 3 CLOSED

The path could not be validated because the end-entity certificate revocation checks failed: OCSP response is from after the validation time; CRL is from after the validation time

This error message explains the problem: your system time falls outside (in this case, before) the validation window of the CRL / OCSP responses that were fetched. With CRLs, that's a little unusual, but it's a somewhat common issue with OCSP responders. Usually, it's caused by clock drift (or perhaps bad timezone handling on the server end).

There are two settings in the config file that may be useful to you:

• There's a top-level config key called time-tolerance that takes a value in seconds (the default is 10s). The larger this value is, the more clock drift will be tolerated.
• Similarly, there's a top-level config flag called retroactive-revinfo (boolean value, default False) that will cause pyHanko to ignore all lower bounds on CRL / OCSP validity windows. It's not really intended for use in this scenario, but if setting time-tolerance doesn't work, this probably will.

Currently, these two options are only documented in pyhanko-certvalidator docstrings, not in the CLI documentation. I should probably do something about that.

from pyhanko.

OK, but how to set up these above in the config file and how to create that config file?

from pyhanko.

They're both top-level settings in the general YAML config file; the same file as the one containing your PKCS#11 settings.

I'd look something like

time-tolerance: 100
retroactive-revinfo: true

pkcs11-setups:
   ...  # PCKS#11 settings go here

# whatever other settings you need go here

from pyhanko.