@@ -7,7 +7,7 @@ use std::fs;
77use std:: num:: NonZeroUsize ;
88use std:: path:: PathBuf ;
99use std:: sync:: { Arc , RwLock } ;
10- use tracing:: { debug, info} ;
10+ use tracing:: { debug, info, warn } ;
1111
1212const CERT_CACHE_SIZE : usize = 1024 ;
1313
@@ -203,17 +203,32 @@ impl CertificateManager {
203203 params. serial_number = Some ( rcgen:: SerialNumber :: from ( vec ! [ 1 , 2 , 3 , 4 ] ) ) ;
204204
205205 // Set validity period - 1 year from now
206+ // Use shorter validity period to ensure UTCTime format for OpenSSL 3.0 compatibility
206207 use chrono:: { Datelike , Utc } ;
207208 let now = Utc :: now ( ) ;
209+ // Ensure we use UTCTime format (years < 2050) for OpenSSL 3.0 compatibility
210+ let end_year = std:: cmp:: min ( now. year ( ) + 1 , 2049 ) ;
208211 let not_before = rcgen:: date_time_ymd ( now. year ( ) , now. month ( ) as u8 , now. day ( ) as u8 ) ;
209- let not_after = rcgen:: date_time_ymd ( now . year ( ) + 1 , now. month ( ) as u8 , now. day ( ) as u8 ) ;
212+ let not_after = rcgen:: date_time_ymd ( end_year , now. month ( ) as u8 , now. day ( ) as u8 ) ;
210213 params. not_before = not_before;
211214 params. not_after = not_after;
212215
213216 // Sign certificate with CA using the shared key pair
214217 let cert = params. signed_by ( & self . server_key_pair , & self . ca_cert , & self . ca_key_pair ) ?;
215218 let cert_der = cert. der ( ) . clone ( ) ;
216219
220+ // Debug certificate details for OpenSSL compatibility issues
221+ debug ! (
222+ "Generated certificate for {}: {} bytes" ,
223+ hostname,
224+ cert_der. len( )
225+ ) ;
226+
227+ // Validate the certificate can be parsed (this might catch ASN.1 issues early)
228+ if let Err ( e) = rustls:: pki_types:: CertificateDer :: try_from ( cert_der. as_ref ( ) ) {
229+ warn ! ( "Generated certificate has encoding issues: {}" , e) ;
230+ }
231+
217232 // Also include CA cert in chain
218233 let ca_cert_der = self . ca_cert . der ( ) . clone ( ) ;
219234 // ca_cert_der is already the correct type
0 commit comments