Stabilize TLSRenewal on special cases #873
Description
Description
PR #871 changed the default renewBefore, to be based on the time until the next renewal, instead of the full validity of the certificate. This works ok when TLSRenewer is used in a certificate NotBefore is close to the current time. But when the NotBefore is some hours before, the first renewal will be at an expected time, but the following ones will be later than expected.
| NotBefore | NotAfter | RenewBefore | Old RenewBefore | |
|---|---|---|---|---|
| Common Case | now()-1m | now()+24h | ~8h | ~8h |
| Special Case | now()-8h | now()+16 | ~5h18m | ~8h |
| Extreme Case | now()-23h59m | now()+1m | ~18s | ~8h |
| Test Case | now()-1m | now()+5s | ~1.6s | 21s |
In the test case, TestBootstrapClientServerRotation, the old behavior was causing continuous renewals, and random errors with expired certificates, while the new one stabilizes a more stable renewal period, reducing the errors.