(PE-32607) change default auto-renewal ttl to 90 days

This alters the default initial ttl for agents with auto-renewal capability to 90 days from 60 days, and changes the period of validity on renewal from 60 days to 90 days.
puppetlabs · Jul 5, 2023 · 3d794dc · 3d794dc
1 parent bd6da30
commit 3d794dc
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 6 deletions.
diff --git a/src/clj/puppetlabs/puppetserver/certificate_authority.clj b/src/clj/puppetlabs/puppetserver/certificate_authority.clj
@@ -241,10 +241,10 @@
   60)
 
 (def default-auto-ttl-renewal
-  "60d") ; 60 days by default
+  "90d") ; 90 days by default
 
 (def default-auto-ttl-renewal-seconds
-  (duration-str->sec default-auto-ttl-renewal)) ; 60 days by default
+  (duration-str->sec default-auto-ttl-renewal)) ; 90 days by default
 
 (schema/defn ^:always-validate initialize-ca-config
   "Adds in default ca config keys/values, which may be overwritten if a value for

diff --git a/.../integration/puppetlabs/services/certificate_authority/certificate_authority_int_test.clj b/.../integration/puppetlabs/services/certificate_authority/certificate_authority_int_test.clj
@@ -214,10 +214,10 @@
                         (is (= 204 (:status response)))
                         (is (fs/exists? signed-cert-path))
                         (let [signed-cert (ssl-utils/pem->cert signed-cert-path)]
-                          (testing "new not-after should be 59 days (and some fraction) away"
+                          (testing "new not-after should be 89 days (and some fraction) away"
                             (let [diff (- (.getTime (.getNotAfter signed-cert)) (.getTime (Date.)))
                                   days (.convert TimeUnit/DAYS diff TimeUnit/MILLISECONDS)]
-                              (is (= 59 days)))))))))
+                              (is (= 89 days)))))))))
             (testing "signs a cert with a long ttl when the capability indicator is not present"
               (let [certname (ks/rand-str :alpha-lower 8)
                     csr (ssl-utils/generate-certificate-request

diff --git a/test/unit/puppetlabs/puppetserver/certificate_authority_test.clj b/test/unit/puppetlabs/puppetserver/certificate_authority_test.clj
@@ -2005,10 +2005,10 @@
           (is (= -1 (.compareTo (.getNotBefore signed-cert) (.getNotBefore renewed-cert)))))
         (testing "new not-after is later than before"
           (is (= -1 (.compareTo (.getNotAfter signed-cert) (.getNotAfter renewed-cert)))))
-        (testing "new not-after should be 59 days (and some faction) away"
+        (testing "new not-after should be 89 days (and some faction) away"
           (let [diff (- (.getTime (.getNotAfter renewed-cert)) (.getTime (Date.)))
                 days (.convert TimeUnit/DAYS diff TimeUnit/MILLISECONDS)]
-            (is (= 59 days))))
+            (is (= 89 days))))
         (testing "certificate should have been removed"
           (is (not (fs/exists? expected-cert-path))))
         (testing "extensions are preserved"