fix: #759

avwo · Jul 25, 2022 · e14d8b1 · e14d8b1
1 parent 14d05fc
commit e14d8b1
Showing 1 changed file with 14 additions and 6 deletions.
diff --git a/lib/https/ca.js b/lib/https/ca.js
@@ -41,8 +41,10 @@ var certsCache = new LRU({ max: 256 });
 var remoteCerts = new LRU({ max: 1280 });
 var ILEGAL_CHAR_RE = /[^a-z\d-]/i;
 var RANDOM_SERIAL = '.' + Date.now() + '.' + Math.floor(Math.random() * 10000);
-var CLEAR_CERTS_INTERVAL = 1000 * 60 * 60 * 24 * 20;
-var MAX_INNTERFAL = 18;
+var ONE_DAY = 1000 * 60 * 60 * 24;
+var MIN_DATE = ONE_DAY * 20;
+var CLEAR_CERTS_INTERVAL = ONE_DAY * 20;
+var MAX_INNTERFAL = 16;
 var PORT_RE = /:\d*$/;
 var customRoot;
 var ROOT_KEY, ROOT_CRT;
@@ -494,11 +496,17 @@ function createCert(publicKey, serialNumber, isShortPeriod) {
   var cert = pki.createCertificate();
   cert.publicKey = publicKey;
   cert.serialNumber = serialNumber || '01';
-  var curYear = new Date().getFullYear();
-  cert.validity.notBefore = new Date();
-  cert.validity.notAfter = new Date();
-  cert.validity.notBefore.setFullYear(curYear - 1);
+  var curDate = new Date();
+  var curYear = curDate.getFullYear();
+  if (isShortPeriod) {
+    cert.validity.notBefore = new Date(curDate.getTime() - MIN_DATE);
+  } else {
+    cert.validity.notBefore = new Date();
+    cert.validity.notBefore.setFullYear(curYear - 1);
+  }
+  // https://www.ssls.com/blog/apples-new-ssl-lifetime-limitation-and-what-it-means-for-you/
   // https://chromium.googlesource.com/chromium/src/+/refs/heads/master/net/cert/cert_verify_proc.cc#900
+  cert.validity.notAfter = new Date();
   cert.validity.notAfter.setFullYear(curYear + (isShortPeriod ? 1 : 10));
   return cert;
 }