datetime generated for the certificate is using the local time

[coderinsg]

Hi all,

Error message
CA cert validation failed: Get "https://127.0.0.1:6444/cacerts\": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-05-29T16:06:51+08:00 is before 2024-05-29T15:26:33Z

Description
During installation of k3s master using curl -sfL https://get.k3s.io | sh -, a self-signed certificate is created and added as trusted root. The problem is, if the server running the install is in a different timezone than UTC, the datetime generated for the certificate is using the local time (with timezone applied) but the timezone in the certificates are supposed to be always UTC.

I'm running it in servers under Singapore timezone which right now is GMT+8, so the generated certificates are not valid until 8 hours-20 minutes away from certificate creation.

How do I ensure the certificate generated during installation is valid immediately?

[brandond]

The certificate timestamps ARE in UTC. You can see where in the code the NotBefore/NotAfter timestamps are set: https://github.com/rancher/dynamiclistener/blob/e590d58b896cc8dd33dde7cec80c52e23ec08189/factory/cert_utils.go#L32-L33
https://github.com/rancher/dynamiclistener/blob/e590d58b896cc8dd33dde7cec80c52e23ec08189/factory/cert_utils.go#L106-L107

The message also shows this:

current time 2024-05-29T16:06:51+08:00 is before 2024-05-29T15:26:33Z

Note that the NotBefore time in the message is in UTC (Z) instead of the local time zone (+08:00). However, the node's current time 2024-05-29T16:06:51+08:00 when converted to UTC is 2024-05-29T08:06:51Z which is indeed before the server's cert is valid.

Do you perhaps have the time set incorrectly on your nodes?