diff --git a/ironic_python_agent/tests/unit/test_tls_utils.py b/ironic_python_agent/tests/unit/test_tls_utils.py index 732139a98..aaa9db78f 100644 --- a/ironic_python_agent/tests/unit/test_tls_utils.py +++ b/ironic_python_agent/tests/unit/test_tls_utils.py @@ -37,7 +37,8 @@ class GenerateTestCase(ironic_agent_base.IronicAgentTest): result = tls_utils._generate_tls_certificate(self.crt_file, self.key_file, 'localhost', '127.0.0.1') - now = datetime.datetime.utcnow() + now = datetime.datetime.now( + tz=datetime.timezone.utc).replace(tzinfo=None) self.assertTrue(result.startswith("-----BEGIN CERTIFICATE-----\n"), result) self.assertTrue(result.endswith("\n-----END CERTIFICATE-----\n"), @@ -51,6 +52,8 @@ class GenerateTestCase(ironic_agent_base.IronicAgentTest): self.assertEqual([(x509.NameOID.COMMON_NAME, 'localhost')], [(item.oid, item.value) for item in cert.subject]) # Sanity check for validity range + # FIXME(dtantsur): use timezone-aware properties and drop the replace() + # call above when we're ready to bump to cryptography 42.0. self.assertLess(cert.not_valid_before, now - datetime.timedelta(seconds=1800)) self.assertGreater(cert.not_valid_after, diff --git a/ironic_python_agent/tls_utils.py b/ironic_python_agent/tls_utils.py index 62adec9e8..11a5e6640 100644 --- a/ironic_python_agent/tls_utils.py +++ b/ironic_python_agent/tls_utils.py @@ -77,9 +77,9 @@ def _generate_tls_certificate(output, private_key_output, ]) alt_name = x509.SubjectAlternativeName([x509.IPAddress(ip_address)]) allowed_clock_skew = CONF.auto_tls_allowed_clock_skew - not_valid_before = (datetime.datetime.utcnow() + not_valid_before = (datetime.datetime.now(tz=datetime.timezone.utc) - datetime.timedelta(seconds=allowed_clock_skew)) - not_valid_after = (datetime.datetime.utcnow() + not_valid_after = (datetime.datetime.now(tz=datetime.timezone.utc) + datetime.timedelta(days=valid_for_days)) cert = (x509.CertificateBuilder() .subject_name(subject)