modules/http: fix too early renewal of ephemeral certificates

diff --git a/NEWS b/NEWS
index 0f2d2c305def94d5f5ea71f1423104d6ecff68ad..1d8651007925251666a9977fea049f2b8a4a9183 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -39,6 +39,7 @@ Bugfixes
 - fix fallback when SERVFAIL or REFUSED is received from upstream (!784)
 - fix crash when dealing with unknown TA key algorhitm (#449)
 - go insecure due to algorithm support even if DNSKEY is NODATA (!798)
+- http module: fix too early renewal of ephemeral certificates (!808)
 
 Module API changes
 ------------------

diff --git a/modules/http/http.lua.in b/modules/http/http.lua.in
index 4534ab2acb08a735ba44bd15fcfbc41c95d3fe40..e858e89d2232eb726429d796e8c6dc1cc1fdf570 100644 (file)
--- a/modules/http/http.lua.in
+++ b/modules/http/http.lua.in
@@ -396,7 +396,7 @@ local function add_socket(fd, kind, addr_str)
        -- Create certificate renewal timer if ephemeral
        if crt and conf.ephemeral then
                local _, expiry = crt:getLifetime()
-               expiry = math.max(0, expiry - (os.time() - 3 * 24 * 3600))
+               expiry = 1000 * math.max(0, expiry - (os.time() - 3 * 24 * 3600))
                event.after(expiry, function ()
                        log('[http] refreshed ephemeral certificate')
                        crt, key = updatecert(conf.cert, conf.key)