fix(acme): use X509 certificate expiry when reporting ACME certificate validity

2026-03-27 22:38:29 +00:00
parent cd286cede6
commit 31413d28be
6 changed files with 55 additions and 38 deletions
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@serve.zone/dcrouter',
-  version: '11.12.3',
+  version: '11.12.4',
  description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }
--- a/ts/classes.dcrouter.ts
+++ b/ts/classes.dcrouter.ts
@@ -852,14 +852,22 @@ export class DcRouter {
            const cert = await this.smartAcme!.getCertificateForDomain(domain, {
              includeWildcard: !isWildcardDomain,
            });
-            if (cert.validUntil) {
-              eventComms.setExpiryDate(new Date(cert.validUntil));
+            // Parse real X509 expiry from PEM (defense-in-depth over SmartAcme's estimate)
+            let realValidUntil = cert.validUntil;
+            if (cert.publicKey) {
+              try {
+                const x509 = new plugins.crypto.X509Certificate(cert.publicKey);
+                realValidUntil = new Date(x509.validTo).getTime();
+              } catch { /* fallback to SmartAcme's value */ }
+            }
+            if (realValidUntil) {
+              eventComms.setExpiryDate(new Date(realValidUntil));
            }
            const result = {
              id: cert.id,
              domainName: cert.domainName,
              created: cert.created,
-              validUntil: cert.validUntil,
+              validUntil: realValidUntil,
              privateKey: cert.privateKey,
              publicKey: cert.publicKey,
              csr: cert.csr,