Skip to content

fix: add wall-clock certificate expiry check to webhook TLS rotation#1175

Draft
lfrancke wants to merge 2 commits intomainfrom
fix/webhook-tls-wall-clock-rotation
Draft

fix: add wall-clock certificate expiry check to webhook TLS rotation#1175
lfrancke wants to merge 2 commits intomainfrom
fix/webhook-tls-wall-clock-rotation

Conversation

@lfrancke
Copy link
Member

@lfrancke lfrancke commented Mar 12, 2026

Description

The rotation interval uses tokio's monotonic clock, but certificate validity uses wall-clock time. When these diverge (hibernation, VM migration, cgroup freezing), the certificate can expire before rotation.

Add a periodic wall-clock check (every 5 minutes) that compares SystemTime::now() against the certificate's not_after field and triggers early rotation if the cert is within 4 hours of expiry.

Fixes: #1174

Definition of Done Checklist

  • Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
  • Please make sure all these things are done and tick the boxes

Reviewer

  • Code contains useful comments
  • Code contains useful logging statements
  • (Integration-)Test cases added
  • Documentation added or updated. Follows the style guide.
  • Changelog updated
  • Cargo.toml only contains references to git tags (not specific commits or branches)

Acceptance

  • Proper release label has been added

@lfrancke lfrancke force-pushed the fix/webhook-tls-wall-clock-rotation branch 6 times, most recently from 9e714ab to a93a7f6 Compare March 12, 2026 10:11
lfrancke added 2 commits March 12, 2026 11:13
@lfrancke
fix: add wall-clock certificate expiry check to webhook TLS rotation
476ce29 
The rotation interval uses tokio's monotonic clock, but certificate
validity uses wall-clock time. When these diverge (hibernation, VM
migration, cgroup freezing), the certificate can expire before rotation.

Add a periodic wall-clock check (every 5 minutes) that compares
SystemTime::now() against the certificate's not_after field and triggers
early rotation if the cert is within 4 hours of expiry.

Fixes: #1174
@lfrancke
refactor: replace dual rotation timers with single wall-clock check
003a628 
Remove the monotonic 20h rotation interval and the supplementary
wall-clock check. Instead, use a single periodic check (every 5 min)
that compares wall-clock time against the certificate's not_after.

Also derive the expiry buffer from the certificate lifetime (1/6) so
it scales if the lifetime ever changes, and add comments documenting
the relationship between lifetime and check interval.
@lfrancke lfrancke force-pushed the fix/webhook-tls-wall-clock-rotation branch from a93a7f6 to 003a628 Compare March 12, 2026 10:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Webhook TLS certificate rotation uses monotonic time, but cert validity uses wall-clock time

1 participant

@lfrancke