From 169ff22a8421b999d223174d794592cf7bff44ff Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Mon, 24 Aug 2020 14:55:26 -0700
Subject: [PATCH] derp: set NotBefore and NotAfter in DERP server's metacert

Fixes regression from e4159912560d611ee23ba187ceb14c0de1ff3d82 that
only affected Windows users because Go only on Windows delegates x509
cert validation to the OS and Windows as unhappy with our "metacert"
lacking NotBefore and NotAfter.

Fixes #705
---
 derp/derp_server.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/derp/derp_server.go b/derp/derp_server.go
index cdbe08e3c..d0ed16b17 100644
--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@@ -306,6 +306,9 @@ func (s *Server) initMetacert() {
 		Subject: pkix.Name{
 			CommonName: fmt.Sprintf("derpkey%x", s.publicKey[:]),
 		},
+		// Windows requires NotAfter and NotBefore set:
+		NotAfter:  time.Now().Add(30 * 24 * time.Hour),
+		NotBefore: time.Now().Add(-30 * 24 * time.Hour),
 	}
 	cert, err := x509.CreateCertificate(crand.Reader, tmpl, tmpl, pub, priv)
 	if err != nil {