certificates icon indicating copy to clipboard operation
certificates copied to clipboard

Published 20 hours ago verified publisher icon smallstep

Stabilize TLSRenewal on special cases

Open maraino opened this issue 3 years ago • 0 comments

Description

PR https://github.com/smallstep/certificates/pull/871 changed the default renewBefore, to be based on the time until the next renewal, instead of the full validity of the certificate. This works ok when TLSRenewer is used in a certificate NotBefore is close to the current time. But when the NotBefore is some hours before, the first renewal will be at an expected time, but the following ones will be later than expected.

NotBefore NotAfter RenewBefore Old RenewBefore
Common Case now()-1m now()+24h ~8h ~8h
Special Case now()-8h now()+16 ~5h18m ~8h
Extreme Case now()-23h59m now()+1m ~18s ~8h
Test Case now()-1m now()+5s ~1.6s 21s

In the test case, TestBootstrapClientServerRotation, the old behavior was causing continuous renewals, and random errors with expired certificates, while the new one stabilizes a more stable renewal period, reducing the errors.

maraino avatar Mar 24 '22 18:03 maraino