From 30d263c71e5b113621ef5842a1b07187863a672a Mon Sep 17 00:00:00 2001
From: jasonwitty <jasonpwitty@proton.me>
Date: Fri, 22 Aug 2025 12:43:48 -0700
Subject: [PATCH] agent: dynamic self-signed cert validity (~397d from now) to
 avoid immediate expiry

---
 socktop_agent/Cargo.toml | 1 +
 socktop_agent/src/tls.rs | 9 +++++----
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/socktop_agent/Cargo.toml b/socktop_agent/Cargo.toml
index bf3fa25..c81bd52 100644
--- a/socktop_agent/Cargo.toml
+++ b/socktop_agent/Cargo.toml
@@ -29,6 +29,7 @@ anyhow = "1"
 hostname = "0.3"
 bytes = { workspace = true }
 prost = { workspace = true }
+time = { version = "0.3", default-features = false, features = ["formatting", "macros", "parsing" ] }
 
 [build-dependencies]
 prost-build = "0.13"
diff --git a/socktop_agent/src/tls.rs b/socktop_agent/src/tls.rs
index 0073f36..16cfa16 100644
--- a/socktop_agent/src/tls.rs
+++ b/socktop_agent/src/tls.rs
@@ -1,4 +1,5 @@
 use rcgen::{CertificateParams, DistinguishedName, DnType, IsCa, SanType};
+use time::{Duration, OffsetDateTime};
 use std::{
     fs,
     io::Write,
@@ -47,10 +48,10 @@ pub fn ensure_self_signed_cert() -> anyhow::Result<(PathBuf, PathBuf)> {
     dn.push(DnType::CommonName, hostname.clone());
     params.distinguished_name = dn;
     params.is_ca = IsCa::NoCa;
-    // Keep default validity (30 days) but extend to ~1 year (397 days)
-    // rcgen 0.13 doesn't have validity_days; use not_before/not_after
-    params.not_before = rcgen::date_time_ymd(2024, 1, 1);
-    params.not_after = rcgen::date_time_ymd(2025, 2, 2); // ~397 days later
+    // Dynamic validity: start slightly in the past to avoid clock skew issues, end ~397 days later
+    let now = OffsetDateTime::now_utc();
+    params.not_before = now - Duration::minutes(5);
+    params.not_after = now + Duration::days(397);
 
     // Generate key pair (default is ECDSA P256 SHA256)
     let key_pair = rcgen::KeyPair::generate()?; // defaults to ECDSA P256 SHA256