From 6d9c463b60f1470f9775a40a54cfcc3946f6d351 Mon Sep 17 00:00:00 2001
From: Bhoppi Chaw <bhoppi@users.noreply.github.com>
Date: Sat, 5 Jun 2021 02:55:30 +0800
Subject: [PATCH] Fix: new cert issuing is incorrectly delayed (#998)

* fix new cert issuing is incorrectly delayed

* apply lint

* revert cert duration & write cert issue/revoke info into log

* apply lint

Co-authored-by: Bhoppi Chaw <bhoppi#outlook,com>
---
 transport/internet/tls/config.go | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/transport/internet/tls/config.go b/transport/internet/tls/config.go
index f11ba8d13..2bb5b9f43 100644
--- a/transport/internet/tls/config.go
+++ b/transport/internet/tls/config.go
@@ -67,7 +67,7 @@ func isCertificateExpired(c *tls.Certificate) bool {
 	}
 
 	// If leaf is not there, the certificate is probably not used yet. We trust user to provide a valid certificate.
-	return c.Leaf != nil && c.Leaf.NotAfter.Before(time.Now().Add(-time.Minute))
+	return c.Leaf != nil && c.Leaf.NotAfter.Before(time.Now().Add(time.Minute*2))
 }
 
 func issueCertificate(rawCA *Certificate, domain string) (*tls.Certificate, error) {
@@ -120,6 +120,9 @@ func getGetCertificateFunc(c *tls.Config, ca []*Certificate) func(hello *tls.Cli
 				cert := certificate
 				if !isCertificateExpired(&cert) {
 					newCerts = append(newCerts, cert)
+				} else if cert.Leaf != nil {
+					expTime := cert.Leaf.NotAfter.Format(time.RFC3339)
+					newError("old certificate for ", domain, " (expire on ", expTime, ") revoked").AtInfo().WriteToLog()
 				}
 			}
 
@@ -137,6 +140,14 @@ func getGetCertificateFunc(c *tls.Config, ca []*Certificate) func(hello *tls.Cli
 					newError("failed to issue new certificate for ", domain).Base(err).WriteToLog()
 					continue
 				}
+				parsed, err := x509.ParseCertificate(newCert.Certificate[0])
+				if err == nil {
+					newCert.Leaf = parsed
+					expTime := parsed.NotAfter.Format(time.RFC3339)
+					newError("new certificate for ", domain, " (expire on ", expTime, ") issued").AtInfo().WriteToLog()
+				} else {
+					newError("failed to parse new certificate for ", domain).Base(err).WriteToLog()
+				}
 
 				access.Lock()
 				c.Certificates = append(c.Certificates, *newCert)