Fix return certificate expiry time from NearExpiration (#29128)

* Fix return certificate expiry time from NearExpiration - The duration returned from the NearExpiration is supposed to represent the time till expiry from now and not the calculated time a month from now. * Add cl * PR feedback
2026-02-03 20:40:45 -05:00 · 2024-12-09 13:39:00 -05:00 · 2024-12-09 13:39:00 -05:00 · 56fa43f73f
commit 56fa43f73f
parent 5701c5b492
2 changed files with 13 additions and 8 deletions
--- a/changelog/29128.txt
+++ b/changelog/29128.txt
@ -0,0 +1,3 @@
+```release-note:bug
+vault/diagnose: Fix time to expiration reporting within the TLS verification to not be a month off.
+```
--- a/vault/diagnose/tls_verification.go
+++ b/vault/diagnose/tls_verification.go
@ -270,15 +270,17 @@ func TLSFileWarningChecks(leafCerts, interCerts, rootCerts []*x509.Certificate)
 	return warnings, nil
 }

-// NearExpiration returns a true if a certficate will expire in a month and false otherwise
+// NearExpiration returns a true if a certificate will expire in a month
+// and false otherwise, along with the duration until the certificate expires
+// which can be a negative duration if the certificate has already expired.
 func NearExpiration(c *x509.Certificate) (bool, time.Duration) {
-	oneMonthFromNow := time.Now().Add(30 * 24 * time.Hour)
-	var timeToExpiry time.Duration
-	if oneMonthFromNow.After(c.NotAfter) {
-		timeToExpiry := oneMonthFromNow.Sub(c.NotAfter)
-		return true, timeToExpiry
-	}
-	return false, timeToExpiry
+	now := time.Now()
+	timeToExpiry := c.NotAfter.Sub(now)
+
+	oneMonthFromNow := now.Add(30 * 24 * time.Hour)
+	isNearExpiration := oneMonthFromNow.After(c.NotAfter)
+
+	return isNearExpiration, timeToExpiry
 }

 // TLSMutualExclusionCertCheck returns error if both TLSDisableClientCerts and TLSRequireAndVerifyClientCert are set