Refresh cached TLS intercept certs before expiry

[venbrinoDev]

Summary

We run Microsandbox for long-lived user runtimes in production, and this surfaced there as older sandboxes began failing TLS interception for intercepted hosts.

Fix TLS interception for long-lived sandboxes by refreshing cached per-domain leaf certificates when they are expired or near expiry.

Problem

Microsandbox caches generated intercept certs in TlsState.cert_cache, but cached entries were reused without checking whether the leaf cert had already expired.

In practice this caused older sandboxes to start failing TLS for intercepted hosts with errors like:

• certificate has expired
• SSL certificate problem: certificate has expired

Fix

• store not_after on DomainCert
• check cached cert expiry in TlsState::get_or_generate_cert()
• regenerate and replace the cached cert when it is expired or within a small refresh window

Files changed

• crates/network/lib/tls/certgen.rs
• crates/network/lib/tls/state.rs

Testing

Passed:

cargo test -p microsandbox-network tls::certgen
cargo test -p microsandbox-network tls::state
cargo test -p microsandbox-network --lib

Happy to adjust this if there’s a preferred place to handle cert rotation or expiry checks.

[toksdotdev]

thanks for the fix. once the minor issue i raised is fixed, should be good to merge.

[venbrinoDev]

okay @toksdotdev i do change that and make an update

[toksdotdev]

can you take a look at the failing build. ty!

[venbrinoDev]

can you take a look at the failing build. ty!

Sure currently looking at them to see why its failing

[venbrinoDev]

can you take a look at the failing build. ty!

was a formatting issue fixed and pushed

[toksdotdev]

@venbrinoDev still some formatting issues.

[venbrinoDev]

@venbrinoDev still some formatting issues.

ohh checking it out

[venbrinoDev]

Resolved and pushed @toksdotdev also ran it locally incase of any further fmt or lint issue

[venbrinoDev]

Hi @toksdotdev, any estimate on when the fix will be pushed? I’d like to update my package version once it’s out.