From 2f6ebd16c141c294af7f3e8f3ac95238918cd7a6 Mon Sep 17 00:00:00 2001
From: Aiden McClelland <3732071+dr-bonez@users.noreply.github.com>
Date: Mon, 13 Mar 2023 11:43:10 -0600
Subject: [PATCH] use yesterday for not_before on ssl certs (#2204)

---
 backend/src/net/ssl.rs | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/backend/src/net/ssl.rs b/backend/src/net/ssl.rs
index 0145586dd..fd052f18e 100644
--- a/backend/src/net/ssl.rs
+++ b/backend/src/net/ssl.rs
@@ -2,6 +2,7 @@ use std::cmp::Ordering;
 use std::collections::{BTreeMap, BTreeSet};
 use std::net::IpAddr;
 use std::path::Path;
+use std::time::{SystemTime, UNIX_EPOCH};
 
 use futures::FutureExt;
 use openssl::asn1::{Asn1Integer, Asn1Time};
@@ -341,7 +342,14 @@ pub fn make_leaf_cert(
     let mut builder = X509Builder::new()?;
     builder.set_version(CERTIFICATE_VERSION)?;
 
-    let embargo = Asn1Time::days_from_now(0)?;
+    let embargo = Asn1Time::from_unix(
+        SystemTime::now()
+            .duration_since(UNIX_EPOCH)
+            .map(|d| d.as_secs() as i64)
+            .or_else(|_| UNIX_EPOCH.elapsed().map(|d| -(d.as_secs() as i64)))
+            .unwrap_or_default()
+            - 86400,
+    )?;
     builder.set_not_before(&embargo)?;
 
     // Google Apple and Mozilla reject certificate horizons longer than 397 days