Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Large validity periods cause a NotAfter date before the NotBefore date #554

Open
1 task done
NeilW opened this issue Sep 13, 2024 · 1 comment
Open
1 task done
Labels

Comments

@NeilW
Copy link

NeilW commented Sep 13, 2024

Terraform CLI and Provider Versions

$ terraform version
Terraform v1.3.6
on linux_amd64

  • provider registry.terraform.io/brightbox/brightbox v3.4.3
  • provider registry.terraform.io/hashicorp/cloudinit v2.3.5
  • provider registry.terraform.io/hashicorp/null v3.2.3
  • provider registry.terraform.io/hashicorp/random v3.6.3
  • provider registry.terraform.io/hashicorp/tls v4.0.6

Terraform Configuration

locals {
  validity_period           = 2562048
  cluster_fqdn              = "${var.cluster_name}.${var.cluster_domainname}"
}

resource "tls_self_signed_cert" "k8s_ca" {
  private_key_pem = tls_private_key.k8s_ca.private_key_pem

  subject {
    common_name         = "apiserver"
    organizational_unit = local.cluster_fqdn
  }

  validity_period_hours = local.validity_period

  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "cert_signing",
  ]

  is_ca_certificate = true
}

Expected Behavior

There should have been a validity error thrown because 2562048 in hours is too big to fit in a time.Duration type.

Actual Behavior

The value overflowed and became negative leading to a NotAfter date before the Not Before date.

WARNING: could not validate bounds for certificate CA: the certificate has expired: NotBefore: 2024-09-13 09:51:20 +0000 UTC, NotAfter: 1732-06-04 10:16:46 +0000 UTC

Steps to Reproduce

  1. terraform apply

How much impact is this issue causing?

Low

Logs

No response

Additional Information

The calculation is at

template.NotAfter = template.NotBefore.Add(time.Duration(validityPeriodHours) * time.Hour)

Missing validity check at

Code of Conduct

  • I agree to follow this project's Code of Conduct
@NeilW NeilW added the bug label Sep 13, 2024
@ndrpnt
Copy link

ndrpnt commented Nov 26, 2024

early_renewal_hours also seem to be affected.

Interestingly, I found a use case. I was trying to create intentionally expired certificates as part of a learning exercise. This is possible with validity_period_hours = 0 but causes a permanent diff because the certificate is renewed on each apply. early_renewal_hours = 2562048 fixes that !

please add an option to [keep] spacebar heating

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants