fix a few leap-year related clock math inaccuracies and failing tests

agent/connect/ca/provider_consul.go

@@ -476,7 +476,7 @@ func (c *ConsulProvider) SignIntermediate(csr *x509.CertificateRequest) (string,
 			x509.KeyUsageDigitalSignature,
 		IsCA:           true,
 		MaxPathLenZero: true,
-		NotAfter:       effectiveNow.Add(365 * 24 * time.Hour),
+		NotAfter:       effectiveNow.AddDate(1, 0, 0),
 		NotBefore:      effectiveNow,
 		SubjectKeyId:   subjectKeyId,
 	}
@@ -545,7 +545,7 @@ func (c *ConsulProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
 	// leaf certs are still in use. They expire within 3 days currently so 7 is
 	// safe. TODO(banks): make this be based on leaf expiry time when that is
 	// configurable.
-	template.NotAfter = effectiveNow.Add(7 * 24 * time.Hour)
+	template.NotAfter = effectiveNow.AddDate(0, 0, 7)
 
 	bs, err := x509.CreateCertificate(
 		rand.Reader, &template, rootCA, cert.PublicKey, privKey)
@@ -632,7 +632,7 @@ func (c *ConsulProvider) generateCA(privateKey string, sn uint64) (string, error
 			x509.KeyUsageCRLSign |
 			x509.KeyUsageDigitalSignature,
 		IsCA:           true,
-		NotAfter:       time.Now().Add(10 * 365 * 24 * time.Hour),
+		NotAfter:       time.Now().AddDate(10, 0, 0),
 		NotBefore:      time.Now(),
 		AuthorityKeyId: keyId,
 		SubjectKeyId:   keyId,

agent/connect/testing_ca.go

@@ -62,7 +62,7 @@ func TestCA(t testing.T, xc *structs.CARoot) *structs.CARoot {
 			x509.KeyUsageCRLSign |
 			x509.KeyUsageDigitalSignature,
 		IsCA:           true,
-		NotAfter:       time.Now().Add(10 * 365 * 24 * time.Hour),
+		NotAfter:       time.Now().AddDate(10, 0, 0),
 		NotBefore:      time.Now(),
 		AuthorityKeyId: testKeyID(t, signer.Public()),
 		SubjectKeyId:   testKeyID(t, signer.Public()),
@@ -179,7 +179,7 @@ func TestLeaf(t testing.T, service string, root *structs.CARoot) (string, string
 			x509.ExtKeyUsageClientAuth,
 			x509.ExtKeyUsageServerAuth,
 		},
-		NotAfter:       time.Now().Add(10 * 365 * 24 * time.Hour),
+		NotAfter:       time.Now().AddDate(10, 0, 0),
 		NotBefore:      time.Now(),
 		AuthorityKeyId: testKeyID(t, caSigner.Public()),
 		SubjectKeyId:   testKeyID(t, pkSigner.Public()),

command/tls/ca/create/tls_ca_create.go

@@ -28,6 +28,7 @@ type cmd struct {
 
 func (c *cmd) init() {
 	c.flags = flag.NewFlagSet("", flag.ContinueOnError)
+	// TODO: perhaps add a -years arg to better capture user intent given that leap years are a thing
 	c.flags.IntVar(&c.days, "days", 1825, "Provide number of days the CA is valid for from now on. Defaults to 5 years.")
 	c.flags.BoolVar(&c.constraint, "name-constraint", false, "Add name constraints for the CA. Results in rejecting "+
 		"certificates for other DNS than specified. If turned on localhost and -domain will be added to the allowed "+

command/tls/generate_test.go

@@ -93,7 +93,7 @@ func TestGenerateCA(t *testing.T) {
 
 	// format so that we don't take anything smaller than second into account.
 	require.Equal(t, cert.NotBefore.Format(time.ANSIC), time.Now().UTC().Format(time.ANSIC))
-	require.Equal(t, cert.NotAfter.Format(time.ANSIC), time.Now().AddDate(1, 0, 0).UTC().Format(time.ANSIC))
+	require.Equal(t, cert.NotAfter.Format(time.ANSIC), time.Now().AddDate(0, 0, 365).UTC().Format(time.ANSIC))
 
 	require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage)
 }
@@ -135,7 +135,7 @@ func TestGenerateCert(t *testing.T) {
 
 	// format so that we don't take anything smaller than second into account.
 	require.Equal(t, cert.NotBefore.Format(time.ANSIC), time.Now().UTC().Format(time.ANSIC))
-	require.Equal(t, cert.NotAfter.Format(time.ANSIC), time.Now().AddDate(1, 0, 0).UTC().Format(time.ANSIC))
+	require.Equal(t, cert.NotAfter.Format(time.ANSIC), time.Now().AddDate(0, 0, 365).UTC().Format(time.ANSIC))
 
 	require.Equal(t, x509.KeyUsageDigitalSignature|x509.KeyUsageKeyEncipherment, cert.KeyUsage)
 	require.Equal(t, extKeyUsage, cert.ExtKeyUsage)