Wrong validity timestamps in certificate?


#1

I’m running my renewal cronjob at 7am CET (2018-12-27T07:00:00+0100), yet the issued certificates have a not_before of 5am UTC (2018-12-27T05:00:00+0000), and the not_after is also offset by one hour.

Shouldn’t the certificates have a not_before 6am UTC, since that’s when they are issued?


#3

Hi @qwerto

there

is a thread with that problem. A computer with the wrong time settings (perhaps wrong time zone), so the new created certificate isn’t valide.


#4

Thanks, but no, this is not my issue.

When I renew the certs (on a server located in UTC+1 = CET, which is irrelevant) and then check them at https://crt.sh/?q=example.com, then the Validity Not Before and Not After shows UTC minus 1 hour on that page. It should show UTC.

I generate it at 7 am CET (=UTC+1) and the certificate (which I download with a Python script to get the timestamp in order to check if the server is effectively using the new certificate) shows 5 am UTC. It should show 6 am UTC. Both my script and crt.sh show the same time. It’s looks wrong by 1 hour.


#5

Yes, this is exactly your issue.

So you generate the cert at 7.00 UTC+1, or 6.00 UTC. Its not-before time is 5.00 UTC. That’s exactly how it’s designed to work, as explained above.


#6

@tdelmas Ah, ok, I had not seen your answer. Thank you, that makes sense.
@danb35 You’re right, I’m sorry, because I only had seen JuergenAuer’s response.


#7

My fault, I have delete it then edited it, to add explanations…