From 6adba1bcb1525192360e69d0aea4899077b8da92 Mon Sep 17 00:00:00 2001
From: Scott Dodson <sdodson@redhat.com>
Date: Tue, 2 Jun 2026 10:29:41 -0400
Subject: [PATCH] tls: backdate certificate NotBefore by 24 hours to tolerate
 clock skew

VMs can boot with their hardware clock set to local time rather than UTC.
On a host in UTC-5, that means the system clock reads five hours behind
UTC at boot, before NTP has a chance to correct it.  Any certificate
whose NotBefore equals the wall-clock time of generation will appear
"not yet valid" to that VM for up to five hours, blocking TLS handshakes
during bootstrap.

Setting NotBefore to time.Now()-24h ensures the certificate is already
valid on any host whose clock is up to 24 hours behind the generator's
clock.  NotAfter is unchanged, so the effective validity window simply
shifts: it starts 24 hours earlier and ends at the originally intended
expiry time.

SelfSignedCertificate and the image-based ingress operator signer both
set NotBefore directly; signed certificates already inherit NotBefore
from their signing CA, so they pick up the change automatically.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 pkg/asset/imagebased/configimage/ingressoperatorsigner.go | 2 +-
 pkg/asset/tls/tls.go                                      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/asset/imagebased/configimage/ingressoperatorsigner.go b/pkg/asset/imagebased/configimage/ingressoperatorsigner.go
index 3cca119b3a4..13287dbc4df 100644
--- a/pkg/asset/imagebased/configimage/ingressoperatorsigner.go
+++ b/pkg/asset/imagebased/configimage/ingressoperatorsigner.go
@@ -112,7 +112,7 @@ func selfSignedCertificate(cfg *tls.CertCfg, key *rsa.PrivateKey) (*x509.Certifi
 		IsCA:                  cfg.IsCA,
 		KeyUsage:              cfg.KeyUsages,
 		NotAfter:              time.Now().Add(cfg.Validity),
-		NotBefore:             time.Now(),
+		NotBefore:             time.Now().Add(-24 * time.Hour),
 		SerialNumber:          serial,
 		Subject:               cfg.Subject,
 	}
diff --git a/pkg/asset/tls/tls.go b/pkg/asset/tls/tls.go
index f027bcd7bbe..c266a75aa2a 100644
--- a/pkg/asset/tls/tls.go
+++ b/pkg/asset/tls/tls.go
@@ -64,7 +64,7 @@ func SelfSignedCertificate(cfg *CertCfg, key *rsa.PrivateKey) (*x509.Certificate
 		IsCA:                  cfg.IsCA,
 		KeyUsage:              cfg.KeyUsages,
 		NotAfter:              time.Now().Add(cfg.Validity),
-		NotBefore:             time.Now(),
+		NotBefore:             time.Now().Add(-24 * time.Hour),
 		SerialNumber:          serial,
 		Subject:               cfg.Subject,
 	}