diff --git a/internal/certauthority/certauthority.go b/internal/certauthority/certauthority.go index 41ef61eaa..516ad52af 100644 --- a/internal/certauthority/certauthority.go +++ b/internal/certauthority/certauthority.go @@ -22,6 +22,14 @@ import ( "time" ) +// certBackdate is the amount of time before time.Now() that will be used to set +// a certificate's NotBefore field. +// +// This could certainly be made configurable by an installer of pinniped, but we +// will see if we can save adding a configuration knob with a reasonable default +// here. +const certBackdate = 5 * time.Minute + type env struct { // secure random number generators for various steps (usually crypto/rand.Reader, but broken out here for tests). serialRNG io.Reader @@ -96,9 +104,9 @@ func newInternal(subject pkix.Name, env env) (*CA, error) { } ca.signer = privateKey - // Make a CA certificate valid for 100 years and backdated by one minute. + // Make a CA certificate valid for 100 years and backdated by some amount. now := env.clock() - notBefore := now.Add(-1 * time.Minute) + notBefore := now.Add(-certBackdate) notAfter := now.Add(24 * time.Hour * 365 * 100) // Create CA cert template @@ -141,9 +149,9 @@ func (c *CA) Issue(subject pkix.Name, dnsNames []string, ttl time.Duration) (*tl return nil, fmt.Errorf("could not generate private key: %w", err) } - // Make a CA caCert valid for the requested TTL and backdated by one minute. + // Make a CA caCert valid for the requested TTL and backdated by some amount. now := c.env.clock() - notBefore := now.Add(-1 * time.Minute) + notBefore := now.Add(-certBackdate) notAfter := now.Add(ttl) // Parse the DER encoded certificate to get an x509.Certificate. diff --git a/internal/certauthority/certauthority_test.go b/internal/certauthority/certauthority_test.go index e83ca75b6..5563074d6 100644 --- a/internal/certauthority/certauthority_test.go +++ b/internal/certauthority/certauthority_test.go @@ -145,7 +145,7 @@ func TestNewInternal(t *testing.T) { }, wantCommonName: "Test CA", wantNotAfter: now.Add(100 * 365 * 24 * time.Hour), - wantNotBefore: now.Add(-1 * time.Minute), + wantNotBefore: now.Add(-5 * time.Minute), }, } for _, tt := range tests { diff --git a/internal/certauthority/kubecertauthority/kubecertauthority_test.go b/internal/certauthority/kubecertauthority/kubecertauthority_test.go index 51276e92d..f4d6cc7c2 100644 --- a/internal/certauthority/kubecertauthority/kubecertauthority_test.go +++ b/internal/certauthority/kubecertauthority/kubecertauthority_test.go @@ -146,7 +146,7 @@ func TestCA(t *testing.T) { r.NoError(err) validCert := testutil.ValidateCertificate(t, fakeCertPEM, string(certPEM)) validCert.RequireDNSName("example.com") - validCert.RequireLifetime(time.Now(), time.Now().Add(10*time.Minute), 2*time.Minute) + validCert.RequireLifetime(time.Now(), time.Now().Add(10*time.Minute), 6*time.Minute) validCert.RequireMatchesPrivateKey(string(keyPEM)) // Tick the timer and wait for another refresh loop to complete. @@ -178,7 +178,7 @@ func TestCA(t *testing.T) { validCert2 := testutil.ValidateCertificate(t, fakeCert2PEM, secondCertPEM) validCert2.RequireDNSName("example.com") - validCert2.RequireLifetime(time.Now(), time.Now().Add(10*time.Minute), 2*time.Minute) + validCert2.RequireLifetime(time.Now(), time.Now().Add(15*time.Minute), 6*time.Minute) validCert2.RequireMatchesPrivateKey(secondKeyPEM) }) }) diff --git a/internal/controller/apicerts/certs_manager_test.go b/internal/controller/apicerts/certs_manager_test.go index 416184213..91f1f69df 100644 --- a/internal/controller/apicerts/certs_manager_test.go +++ b/internal/controller/apicerts/certs_manager_test.go @@ -224,7 +224,7 @@ func TestManagerControllerSync(t *testing.T) { // Validate the created cert using the CA, and also validate the cert's hostname validCert := testutil.ValidateCertificate(t, actualCACert, actualCertChain) validCert.RequireDNSName("pinniped-api." + installedInNamespace + ".svc") - validCert.RequireLifetime(time.Now(), time.Now().Add(certDuration), 2*time.Minute) + validCert.RequireLifetime(time.Now(), time.Now().Add(certDuration), 6*time.Minute) validCert.RequireMatchesPrivateKey(actualPrivateKey) // Make sure we updated the APIService caBundle and left it otherwise unchanged