search

hashicorp / terraform-provider-tls

Utility provider that works with Transport Layer Security keys and certificates. It provides resources that allow private keys, certificates and certficate requests to be created as part of a Terraform deployment.
https://registry.terraform.io/providers/hashicorp/tls/latest
Mozilla Public License 2.0
186 stars 102 forks source link

Large validity periods cause a NotAfter date before the NotBefore date #554

Open NeilW opened 2 months ago

NeilW commented 2 months ago

Terraform CLI and Provider Versions

$ terraform version Terraform v1.3.6 on linux_amd64

Terraform Configuration

locals {
  validity_period           = 2562048
  cluster_fqdn              = "${var.cluster_name}.${var.cluster_domainname}"
}

resource "tls_self_signed_cert" "k8s_ca" {
  private_key_pem = tls_private_key.k8s_ca.private_key_pem

  subject {
    common_name         = "apiserver"
    organizational_unit = local.cluster_fqdn
  }

  validity_period_hours = local.validity_period

  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "cert_signing",
  ]

  is_ca_certificate = true
}

Expected Behavior

There should have been a validity error thrown because 2562048 in hours is too big to fit in a time.Duration type.

Actual Behavior

The value overflowed and became negative leading to a NotAfter date before the Not Before date.

WARNING: could not validate bounds for certificate CA: the certificate has expired: NotBefore: 2024-09-13 09:51:20 +0000 UTC, NotAfter: 1732-06-04 10:16:46 +0000 UTC

Steps to Reproduce

  1. terraform apply

How much impact is this issue causing?

Low

Logs

No response

Additional Information

The calculation is at https://github.com/hashicorp/terraform-provider-tls/blob/6a386292e0f73c5156ab1ab0c9aac41ce248e6dc/internal/provider/common_cert.go#L126

Missing validity check at https://github.com/hashicorp/terraform-provider-tls/blob/6a386292e0f73c5156ab1ab0c9aac41ce248e6dc/internal/provider/resource_self_signed_cert.go#L68

Code of Conduct