Fix return certificate expiry time from NearExpiration (#29128)

* Fix return certificate expiry time from NearExpiration - The duration returned from the NearExpiration is supposed to represent the time till expiry from now and not the calculated time a month from now. * Add cl * PR feedback
hashicorp · Dec 9, 2024 · 56fa43f · 56fa43f
1 parent 5701c5b
commit 56fa43f
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 8 deletions.
diff --git a/changelog/29128.txt b/changelog/29128.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+vault/diagnose: Fix time to expiration reporting within the TLS verification to not be a month off.
+```
diff --git a/vault/diagnose/tls_verification.go b/vault/diagnose/tls_verification.go
@@ -270,15 +270,17 @@ func TLSFileWarningChecks(leafCerts, interCerts, rootCerts []*x509.Certificate)
 	return warnings, nil
 }
 
-// NearExpiration returns a true if a certficate will expire in a month and false otherwise
+// NearExpiration returns a true if a certificate will expire in a month
+// and false otherwise, along with the duration until the certificate expires
+// which can be a negative duration if the certificate has already expired.
 func NearExpiration(c *x509.Certificate) (bool, time.Duration) {
-	oneMonthFromNow := time.Now().Add(30 * 24 * time.Hour)
-	var timeToExpiry time.Duration
-	if oneMonthFromNow.After(c.NotAfter) {
-		timeToExpiry := oneMonthFromNow.Sub(c.NotAfter)
-		return true, timeToExpiry
-	}
-	return false, timeToExpiry
+	now := time.Now()
+	timeToExpiry := c.NotAfter.Sub(now)
+
+	oneMonthFromNow := now.Add(30 * 24 * time.Hour)
+	isNearExpiration := oneMonthFromNow.After(c.NotAfter)
+
+	return isNearExpiration, timeToExpiry
 }
 
 // TLSMutualExclusionCertCheck returns error if both TLSDisableClientCerts and TLSRequireAndVerifyClientCert are set