From 56fa43f73f7e5c08ff751170696139fc81a1bbd1 Mon Sep 17 00:00:00 2001 From: Steven Clark Date: Mon, 9 Dec 2024 13:39:00 -0500 Subject: [PATCH] Fix return certificate expiry time from NearExpiration (#29128) * Fix return certificate expiry time from NearExpiration - The duration returned from the NearExpiration is supposed to represent the time till expiry from now and not the calculated time a month from now. * Add cl * PR feedback --- changelog/29128.txt | 3 +++ vault/diagnose/tls_verification.go | 18 ++++++++++-------- 2 files changed, 13 insertions(+), 8 deletions(-) create mode 100644 changelog/29128.txt diff --git a/changelog/29128.txt b/changelog/29128.txt new file mode 100644 index 000000000000..ce458a0800ff --- /dev/null +++ b/changelog/29128.txt @@ -0,0 +1,3 @@ +```release-note:bug +vault/diagnose: Fix time to expiration reporting within the TLS verification to not be a month off. +``` diff --git a/vault/diagnose/tls_verification.go b/vault/diagnose/tls_verification.go index 7632e69d522f..be5603fcd614 100644 --- a/vault/diagnose/tls_verification.go +++ b/vault/diagnose/tls_verification.go @@ -270,15 +270,17 @@ func TLSFileWarningChecks(leafCerts, interCerts, rootCerts []*x509.Certificate) return warnings, nil } -// NearExpiration returns a true if a certficate will expire in a month and false otherwise +// NearExpiration returns a true if a certificate will expire in a month +// and false otherwise, along with the duration until the certificate expires +// which can be a negative duration if the certificate has already expired. func NearExpiration(c *x509.Certificate) (bool, time.Duration) { - oneMonthFromNow := time.Now().Add(30 * 24 * time.Hour) - var timeToExpiry time.Duration - if oneMonthFromNow.After(c.NotAfter) { - timeToExpiry := oneMonthFromNow.Sub(c.NotAfter) - return true, timeToExpiry - } - return false, timeToExpiry + now := time.Now() + timeToExpiry := c.NotAfter.Sub(now) + + oneMonthFromNow := now.Add(30 * 24 * time.Hour) + isNearExpiration := oneMonthFromNow.After(c.NotAfter) + + return isNearExpiration, timeToExpiry } // TLSMutualExclusionCertCheck returns error if both TLSDisableClientCerts and TLSRequireAndVerifyClientCert are set