From 0f16b72bcb86764aaffa69a9ccad4011e811f856 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Thu, 10 Aug 2023 14:45:56 +0200 Subject: [PATCH] ipa-cert-fix: use timezone-aware datetime ipa-cert-fix compares the current datetime with the value obtained from a cert.not_valid_after. With the fix for #9425, not_valid_after is timezone aware and cannot be compared to a naive datetime. Make the datetime "now" timezone aware. Related: https://pagure.io/freeipa/issue/9425 Signed-off-by: Florence Blanc-Renaud Reviewed-By: Alexander Bokovoy --- ipaserver/install/ipa_cert_fix.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py index 2c3ebf849..2e5aac3e6 100644 --- a/ipaserver/install/ipa_cert_fix.py +++ b/ipaserver/install/ipa_cert_fix.py @@ -128,7 +128,9 @@ class IPACertFix(AdminTool): ca_subject_dn = ca.lookup_ca_subject(api, subject_base) - now = datetime.datetime.now() + datetime.timedelta(weeks=2) + now = ( + datetime.datetime.now(tz=datetime.UTC) + + datetime.timedelta(weeks=2)) certs, extra_certs, non_renewed = expired_certs(now) if not certs and not extra_certs: