diff --git a/transport/internet/tls/config.go b/transport/internet/tls/config.go index f11ba8d13..2bb5b9f43 100644 --- a/transport/internet/tls/config.go +++ b/transport/internet/tls/config.go @@ -67,7 +67,7 @@ func isCertificateExpired(c *tls.Certificate) bool { } // If leaf is not there, the certificate is probably not used yet. We trust user to provide a valid certificate. - return c.Leaf != nil && c.Leaf.NotAfter.Before(time.Now().Add(-time.Minute)) + return c.Leaf != nil && c.Leaf.NotAfter.Before(time.Now().Add(time.Minute*2)) } func issueCertificate(rawCA *Certificate, domain string) (*tls.Certificate, error) { @@ -120,6 +120,9 @@ func getGetCertificateFunc(c *tls.Config, ca []*Certificate) func(hello *tls.Cli cert := certificate if !isCertificateExpired(&cert) { newCerts = append(newCerts, cert) + } else if cert.Leaf != nil { + expTime := cert.Leaf.NotAfter.Format(time.RFC3339) + newError("old certificate for ", domain, " (expire on ", expTime, ") revoked").AtInfo().WriteToLog() } } @@ -137,6 +140,14 @@ func getGetCertificateFunc(c *tls.Config, ca []*Certificate) func(hello *tls.Cli newError("failed to issue new certificate for ", domain).Base(err).WriteToLog() continue } + parsed, err := x509.ParseCertificate(newCert.Certificate[0]) + if err == nil { + newCert.Leaf = parsed + expTime := parsed.NotAfter.Format(time.RFC3339) + newError("new certificate for ", domain, " (expire on ", expTime, ") issued").AtInfo().WriteToLog() + } else { + newError("failed to parse new certificate for ", domain).Base(err).WriteToLog() + } access.Lock() c.Certificates = append(c.Certificates, *newCert)