Decrease validity period for self-signed HTTPS certs

As of Go 1.18, certificates are verified with the platform verifier instead of via the Go verifier on macOS. The mac verifier enforces a maximum validity period of 825 days. Our default of 10 years is too long, resulting in an error: x509: certificate is not standards compliant
gravitational · Apr 14, 2022 · f6bb323 · f6bb323
1 parent 231381f
commit f6bb323
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/lib/utils/tls.go b/lib/utils/tls.go
@@ -83,6 +83,12 @@ type TLSCredentials struct {
 	Cert       []byte
 }
 
+// macMaxTLSCertValidityPeriod is the maximum validitiy period
+// for a TLS certificate enforced by macOS.
+// As of Go 1.18, certificates are validated via the system
+// verifier and not in Go.
+const macMaxTLSCertValidityPeriod = 825 * 24 * time.Hour
+
 // GenerateSelfSignedCert generates a self-signed certificate that
 // is valid for given domain names and ips, returns PEM-encoded bytes with key and cert
 func GenerateSelfSignedCert(hostNames []string) (*TLSCredentials, error) {
@@ -91,7 +97,7 @@ func GenerateSelfSignedCert(hostNames []string) (*TLSCredentials, error) {
 		return nil, trace.Wrap(err)
 	}
 	notBefore := time.Now()
-	notAfter := notBefore.Add(time.Hour * 24 * 365 * 10) // 10 years
+	notAfter := notBefore.Add(macMaxTLSCertValidityPeriod)
 
 	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
 	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)