Support backdating leaf certificate NotBefore via env var#348
Open
jacaetevha wants to merge 2 commits into
Open
Support backdating leaf certificate NotBefore via env var#348jacaetevha wants to merge 2 commits into
jacaetevha wants to merge 2 commits into
Conversation
- Add PUMADEV_LEAF_CERT_NOT_BEFORE env var to backdate the NotBefore
timestamp on generated leaf certificates, accepting either a
duration (sign-normalized to negative) or a past RFC3339 timestamp.
Falls back to time.Now() when unset, invalid, or not in the past.
- Works around TLS handshake failures ("certificate is not yet
valid") when a client's clock has been moved into the past, e.g.
via libfaketime for testing time-dependent behavior.
- Fix notAfter to always be computed from the real current time
rather than the (possibly backdated) notBefore, so a large offset
can no longer push a cert's expiry into the past.
- Add tests covering the parsing/fallback behavior and a full
chain-verification regression test against a real CA.
- Document the new env var in the README's HTTPS section.
Add a note that setting PUMADEV_LEAF_CERT_NOT_BEFORE via a plain shell export only works when running puma-dev in the foreground. launchd (macOS) and systemd (Linux) run it as a background service with their own environment, so the variable must be added to the plist/unit file instead, with copy-pasteable commands for both.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Unblock testing time-dependent behavior with tools like libfaketime: when a service's clock is moved into the past, TLS handshakes against puma-dev-issued certs were failing with "certificate is not yet valid" because
NotBeforewas always stamped from the real clock.PUMADEV_LEAF_CERT_NOT_BEFOREenv var to backdate theNotBeforetimestamp on generated leaf certificates, accepting either a duration (sign-normalized negative) or a past RFC3339 timestamp — falls back totime.Now()when unset, invalid, or not in the pastnotAfteris still computed from the real current time rather than the (possibly backdated) notBefore, so a large offset cannot push a cert's expiry into the pastREADME, including how to set it for background services (launchd plist / systemd unit), since a plain shell export doesn't reach those