Skip to content

fix: Make SSH certificate auto-renewal robust to backdated validity#362

Open
minhtule wants to merge 3 commits into
masterfrom
feat/mt/improve-ssh-cert-renewal-logic
Open

fix: Make SSH certificate auto-renewal robust to backdated validity#362
minhtule wants to merge 3 commits into
masterfrom
feat/mt/improve-ssh-cert-renewal-logic

Conversation

@minhtule

@minhtule minhtule commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Related Tickets & Documents

  • Issue: N/A

Changes

  • Measure renewal time from now when a cert's ValidAfter is backdated, so an already-started validity window doesn't drag the schedule into the past
  • Floor the renewal timer delay at retryInterval
    • A backdated or already-expired cert yields a renewal time in the past, so without a floor the timer fires immediately and re-signs in a tight loop, hammering the CA

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the SSH host certificate auto-renewal loop against certificates whose validity window is backdated or already expired, preventing immediate timer triggers and tight re-sign loops that could hammer the CA.

Changes:

  • Floor renewal timers using a new renewalDelay() helper so past renewal times wait at least retryInterval.
  • Adjust renewTime() to measure the renewal schedule from “now” when ValidAfter is in the past (backdated validity).
  • Add/expand tests to cover floored renewal behavior and backdated ValidAfter handling.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
internal/sshhandler/cert.go Floors timer delays via renewalDelay() and clamps backdated ValidAfter when computing renewal time.
internal/sshhandler/cert_test.go Adds a regression test for past renew times and expands renewTime() test coverage for backdated validity.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread internal/sshhandler/cert_test.go
Comment thread internal/sshhandler/cert_test.go Outdated
@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.19%. Comparing base (7a35cdd) to head (0dfb47e).
✅ All tests successful. No failed tests found.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #362   +/-   ##
=======================================
  Coverage   86.18%   86.19%           
=======================================
  Files          40       40           
  Lines        2830     2839    +9     
=======================================
+ Hits         2439     2447    +8     
- Misses        265      268    +3     
+ Partials      126      124    -2     
Flag Coverage Δ
integration 54.82% <47.05%> (-0.15%) ⬇️
unit 78.83% <100.00%> (+0.27%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
internal/sshhandler/cert.go 87.17% <100.00%> (+4.57%) ⬆️

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@minhtule minhtule changed the title fix: make SSH certificate auto-renewal robust to backdated validity fix: Make SSH certificate auto-renewal robust to backdated validity Jul 1, 2026
@minhtule minhtule force-pushed the feat/mt/improve-ssh-cert-renewal-logic branch from 6a3a75c to afc6fb1 Compare July 1, 2026 01:33
@minhtule minhtule requested a review from Copilot July 1, 2026 01:34

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

Comment thread internal/sshhandler/cert.go Outdated
Comment on lines +169 to +173
// renewalDelay returns the delay until t, floored at retryInterval so a renewal time in the past
// (e.g. from a backdated certificate) cannot busy-loop the timer.
func renewalDelay(t time.Time) time.Duration {
return max(time.Until(t), retryInterval)
}

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The floor only affects renewals under ~12.5s out (0.8 × lifetime < retryInterval). The shortest configured TTL is 5m, which renews ~240s out, so a legitimate near-term renewal is never delayed in practice. The floor is also an intentional debounce: it caps re-signs at one per retryInterval, matching the error-retry path and preventing CA hammering if a CA keeps issuing near-expired certs. Clamping only non-positive durations would remove that guard.

@minhtule minhtule requested a review from clement0010 July 1, 2026 01:46

@clement0010 clement0010 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍🏻 One comment

Comment thread internal/sshhandler/cert.go Outdated
minhtule added 2 commits July 1, 2026 15:57
…interval

Surface a misbehaving CA that issues certificates already at or near
their renewal point, which forces renewal onto the retry interval.
Measure remaining lifetime from now rather than the certificate's
ValidAfter, so a backdated start no longer drags the renewal point
earlier. Drops the now-unneeded ValidAfter clamp and overflow guard.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

@clement0010 clement0010 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍🏻

@minhtule minhtule requested a review from sghiocel July 3, 2026 15:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants