Open GermanCoding opened 2 years ago
The problem seems to be that the order is always stored with a notBefore and notAfter, even if the client didn't request any, and it has a hardcoded backdate of 1m: https://github.com/smallstep/certificates/blob/ea084d71fb7b2ab8c2e3fc81e20e84ee49f6cc88/acme/api/order.go#L174-L184
Then the Sign operation has those options set, and they are used instead of using the current time minus the configured backdate. https://github.com/smallstep/certificates/blob/ea084d71fb7b2ab8c2e3fc81e20e84ee49f6cc88/acme/order.go#L173-L176
Bump. Could the ACME provisioner use the backdate
setting from the global configuration instead of the hardcoded value? I'm using certbot
and it's submitting orders without specifying any particular NotBefore
date.
For now I've manually changed the hardcoded value in the code - it works well with certbot
and all constraints regarding certificate maximal lifetime are still validated correctly.
I'm unfortunately not fluent enough in Go to be able to propose PR on my own here :( Would be really grateful if somebody could fix this.
Subject of the issue
Customized backdates seem to have no effect on ACME provisioners. I've attempted to increase the default backdate duration from it's hardcoded value of 1 minute to about 1 hour (like LE does), because there are devices out there that can't always keep their clock accurate to +- 1 minute.
I've therefore set a custom backdate value in
ca.json
which does get applied when I use my JWK provisioner. However, when requesting certificates via ACME, they're always backdated by 1 minute, not by my value set inca.json
Your environment
Steps to reproduce
# ca.json
Expected behaviour
Both certificates are backdated by ~1 hour.
Actual behaviour
The JWK-issued certificate is backdated by ~1 hour, while the ACME-issued certificate is backdated by ~1 minute.
Additional context
The ACME protocol can set customized NotBefore/NotAfter fields in the order. I haven't tested if smallstep supports these. For my tests I was using acme.sh 3.0.4, which to my knowledge does not set NotBefore/NotAfter fields in the ACME order (unlesss explicitly configured to do so), so the ACME order should have used the default backdate specified in ca.json, just like the JWK provisioner.
It looks like the ACME provisioner always uses it's hardcoded backdate value of 1 min and ignores whatever was set in ca.json.