From ba0b170818f9c13d632c40dccfd2caa693302ef9 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Wed, 23 Mar 2022 19:14:28 -0700
Subject: [PATCH] Attempt to fix TestBootstrapClientServerRotation

This change attempts to fix the test TestBootstrapClientServerRotation.
Due to the backdate, the renew options get too large, causing
continuous renewals, and random errors. After experimenting with
different options, truncating durations to seconds have shown better
results than rounding or just use the plain time.
---
 ca/renew.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/ca/renew.go b/ca/renew.go
index 915be787..27898993 100644
--- a/ca/renew.go
+++ b/ca/renew.go
@@ -60,7 +60,10 @@ func NewTLSRenewer(cert *tls.Certificate, fn RenewFunc, opts ...tlsRenewerOption
 		}
 	}
 
-	period := cert.Leaf.NotAfter.Sub(cert.Leaf.NotBefore)
+	// Use the current time to calculate the initial period. Using a notBefore
+	// in the past might set a renewBefore too large, causing continuous
+	// renewals due to the negative values in nextRenewDuration.
+	period := cert.Leaf.NotAfter.Sub(time.Now().Truncate(time.Second))
 	if period < minCertDuration {
 		return nil, errors.Errorf("period must be greater than or equal to %s, but got %v.", minCertDuration, period)
 	}
@@ -181,7 +184,7 @@ func (r *TLSRenewer) renewCertificate() {
 }
 
 func (r *TLSRenewer) nextRenewDuration(notAfter time.Time) time.Duration {
-	d := time.Until(notAfter) - r.renewBefore
+	d := time.Until(notAfter).Truncate(time.Second) - r.renewBefore
 	n := rand.Int63n(int64(r.renewJitter))
 	d -= time.Duration(n)
 	if d < 0 {