From a2eb5a2483d41ff4588abf58169e0eb950cfb486 Mon Sep 17 00:00:00 2001
From: Jay Lee <jay0lee@gmail.com>
Date: Mon, 22 Nov 2021 08:08:20 -0500
Subject: [PATCH] Correct certificate not before value to UTC-1h. Fixes #1453

---
 src/gam/__init__.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/gam/__init__.py b/src/gam/__init__.py
index 4cf40b34..9edc808f 100755
--- a/src/gam/__init__.py
+++ b/src/gam/__init__.py
@@ -7765,7 +7765,9 @@ def _generatePrivateKeyAndPublicCert(client_id, key_size):
         x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, client_id)]))
     builder = builder.issuer_name(
         x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, client_id)]))
-    builder = builder.not_valid_before(datetime.datetime.today())
+    # Gooogle seems to enforce the not before date strictly. Set the not before
+    # date to be UTC one hour ago should cover any clock skew.
+    builder = builder.not_valid_before(datetime.datetime.utcnow() - datetime.timedelta(hours=1))
     # Google uses 12/31/9999 date for end time
     builder = builder.not_valid_after(datetime.datetime(9999, 12, 31, 23, 59))
     builder = builder.serial_number(x509.random_serial_number())