in cert/cert-renewal/src/credential.rs [193:244]
fn renewal_times(
cert: &openssl::x509::X509,
policy: &crate::RenewalPolicy,
) -> Result<(crate::Time, i64), crate::Error> {
let not_before = crate::Time::from(cert.not_before());
let not_after = crate::Time::from(cert.not_after());
if not_before >= not_after {
return Err(crate::Error::fatal_error(
"cert not_before is not before not_after",
));
}
if not_after.in_past() {
return Err(crate::Error::fatal_error(
"cannot calculate initial renewal time for expired cert",
));
}
// Calculate the renewal deadline.
let mut renewal_deadline = match policy.threshold {
crate::Policy::Percentage(threshold) => {
let total_lifetime = not_after - not_before;
let threshold = total_lifetime - total_lifetime * threshold / 100;
not_after - threshold
}
crate::Policy::Time(threshold) => not_after - threshold,
};
// Calculate renewal retry period.
let retry_period = match policy.retry {
crate::Policy::Percentage(retry) => {
let total_lifetime = not_after - not_before;
total_lifetime * retry / 100
}
crate::Policy::Time(retry) => retry,
};
// Require the retry period to be at least 1 second.
let retry_period = std::cmp::max(retry_period, 1);
// A cert that is past its renewal deadline should be renewed based on its retry policy.
if renewal_deadline.in_past() {
renewal_deadline = crate::Time::now() + retry_period;
}
Ok((renewal_deadline, retry_period))
}