github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Sign certificates valid from 1 minute earlier to avoid failures caused by clock drift

pull/4275/head
Paul Banks 2018-06-20 20:28:54 +01:00 committed by Jack Pearkes
parent e33bfe249e
commit 51fc48e8a6
1 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
agent/connect/ca/provider_consul.go
View File

@ -200,6 +200,10 @@ func (c *ConsulProvider) Sign(csr *x509.CertificateRequest) (string, error) {
// Cert template for generation // Cert template for generation
sn := &big.Int{} sn := &big.Int{}
sn.SetUint64(idx + 1) sn.SetUint64(idx + 1)
// Sign the certificate valid from 1 minute in the past, this helps it be
// accepted right away even when nodes are not in close time sync accross the
// cluster. A minute is more than enough for typical DC clock drift.
effectiveNow := time.Now().Add(-1 * time.Minute)
template := x509.Certificate{ template := x509.Certificate{
SerialNumber: sn, SerialNumber: sn,
Subject: pkix.Name{CommonName: serviceId.Service}, Subject: pkix.Name{CommonName: serviceId.Service},
@ -218,8 +222,8 @@ func (c *ConsulProvider) Sign(csr *x509.CertificateRequest) (string, error) {
x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageServerAuth,
}, },
// todo(kyhavlov): add a way to set the cert lifetime here from the CA config // todo(kyhavlov): add a way to set the cert lifetime here from the CA config
NotAfter: time.Now().Add(3 * 24 * time.Hour), NotAfter: effectiveNow.Add(3 * 24 * time.Hour),
NotBefore: time.Now(), NotBefore: effectiveNow,
AuthorityKeyId: keyId, AuthorityKeyId: keyId,
SubjectKeyId: keyId, SubjectKeyId: keyId,
} }
@ -281,6 +285,17 @@ func (c *ConsulProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
template.SubjectKeyId = keyId template.SubjectKeyId = keyId
template.AuthorityKeyId = keyId template.AuthorityKeyId = keyId
// Sign the certificate valid from 1 minute in the past, this helps it be
// accepted right away even when nodes are not in close time sync accross the
// cluster. A minute is more than enough for typical DC clock drift.
effectiveNow := time.Now().Add(-1 * time.Minute)
template.NotBefore = effectiveNow
// This cross-signed cert is only needed during rotation, and only while old
// leaf certs are still in use. They expire within 3 days currently so 7 is
// safe. TODO(banks): make this be based on leaf expiry time when that is
// configurable.
template.NotAfter = effectiveNow.Add(7 * 24 * time.Hour)
bs, err := x509.CreateCertificate( bs, err := x509.CreateCertificate(
rand.Reader, &template, rootCA, cert.PublicKey, privKey) rand.Reader, &template, rootCA, cert.PublicKey, privKey)
if err != nil { if err != nil {