diff --git a/authority/provisioner/acme_test.go b/authority/provisioner/acme_test.go
index 86e8a9a9..a74ef76e 100644
--- a/authority/provisioner/acme_test.go
+++ b/authority/provisioner/acme_test.go
@@ -91,7 +91,7 @@ func TestACME_Init(t *testing.T) {
 }
 
 func TestACME_AuthorizeRenew(t *testing.T) {
-	now := time.Now()
+	now := time.Now().Truncate(time.Second)
 	type test struct {
 		p    *ACME
 		cert *x509.Certificate
diff --git a/authority/provisioner/aws_test.go b/authority/provisioner/aws_test.go
index 2e684272..3c6f8741 100644
--- a/authority/provisioner/aws_test.go
+++ b/authority/provisioner/aws_test.go
@@ -824,7 +824,7 @@ func TestAWS_AuthorizeSSHSign(t *testing.T) {
 }
 
 func TestAWS_AuthorizeRenew(t *testing.T) {
-	now := time.Now()
+	now := time.Now().Truncate(time.Second)
 	p1, err := generateAWS()
 	assert.FatalError(t, err)
 	p2, err := generateAWS()
diff --git a/authority/provisioner/azure_test.go b/authority/provisioner/azure_test.go
index c40d0f93..da342ea4 100644
--- a/authority/provisioner/azure_test.go
+++ b/authority/provisioner/azure_test.go
@@ -536,7 +536,7 @@ func TestAzure_AuthorizeSign(t *testing.T) {
 }
 
 func TestAzure_AuthorizeRenew(t *testing.T) {
-	now := time.Now()
+	now := time.Now().Truncate(time.Second)
 	p1, err := generateAzure()
 	assert.FatalError(t, err)
 	p2, err := generateAzure()
diff --git a/authority/provisioner/controller.go b/authority/provisioner/controller.go
index 815482f9..97ebe8f8 100644
--- a/authority/provisioner/controller.go
+++ b/authority/provisioner/controller.go
@@ -122,7 +122,7 @@ func DefaultAuthorizeRenew(ctx context.Context, p *Controller, cert *x509.Certif
 
 	now := time.Now().Truncate(time.Second)
 	if now.Before(cert.NotBefore) {
-		return errs.Unauthorized("certificate is not yet valid")
+		return errs.Unauthorized("certificate is not yet valid" + " " + now.UTC().Format(time.RFC3339Nano) + " vs " + cert.NotBefore.Format(time.RFC3339Nano))
 	}
 	if now.After(cert.NotAfter) && !p.Claimer.IsRenewAfterExpiry() {
 		return errs.Unauthorized("certificate has expired")
diff --git a/authority/provisioner/controller_test.go b/authority/provisioner/controller_test.go
index 68f7055c..bbf7cb81 100644
--- a/authority/provisioner/controller_test.go
+++ b/authority/provisioner/controller_test.go
@@ -134,7 +134,7 @@ func TestController_GetIdentity(t *testing.T) {
 
 func TestController_AuthorizeRenew(t *testing.T) {
 	ctx := context.Background()
-	now := time.Now()
+	now := time.Now().Truncate(time.Second)
 	type fields struct {
 		Interface          Interface
 		Claimer            *Claimer
@@ -276,7 +276,7 @@ func TestController_AuthorizeSSHRenew(t *testing.T) {
 
 func TestDefaultAuthorizeRenew(t *testing.T) {
 	ctx := context.Background()
-	now := time.Now()
+	now := time.Now().Truncate(time.Second)
 	type args struct {
 		ctx  context.Context
 		p    *Controller
diff --git a/authority/provisioner/gcp_test.go b/authority/provisioner/gcp_test.go
index 2fc7fee0..94fbd576 100644
--- a/authority/provisioner/gcp_test.go
+++ b/authority/provisioner/gcp_test.go
@@ -698,7 +698,7 @@ func TestGCP_AuthorizeSSHSign(t *testing.T) {
 }
 
 func TestGCP_AuthorizeRenew(t *testing.T) {
-	now := time.Now()
+	now := time.Now().Truncate(time.Second)
 	p1, err := generateGCP()
 	assert.FatalError(t, err)
 	p2, err := generateGCP()
diff --git a/authority/provisioner/jwk_test.go b/authority/provisioner/jwk_test.go
index f6b2d93c..bf5c3d2c 100644
--- a/authority/provisioner/jwk_test.go
+++ b/authority/provisioner/jwk_test.go
@@ -325,7 +325,7 @@ func TestJWK_AuthorizeSign(t *testing.T) {
 }
 
 func TestJWK_AuthorizeRenew(t *testing.T) {
-	now := time.Now()
+	now := time.Now().Truncate(time.Second)
 	p1, err := generateJWK()
 	assert.FatalError(t, err)
 	p2, err := generateJWK()
diff --git a/authority/provisioner/k8sSA_test.go b/authority/provisioner/k8sSA_test.go
index 2f357ebe..0a82e8ef 100644
--- a/authority/provisioner/k8sSA_test.go
+++ b/authority/provisioner/k8sSA_test.go
@@ -179,7 +179,7 @@ func TestK8sSA_AuthorizeRevoke(t *testing.T) {
 }
 
 func TestK8sSA_AuthorizeRenew(t *testing.T) {
-	now := time.Now()
+	now := time.Now().Truncate(time.Second)
 	type test struct {
 		p    *K8sSA
 		cert *x509.Certificate
diff --git a/authority/provisioner/oidc_test.go b/authority/provisioner/oidc_test.go
index cfc789f9..62082fb2 100644
--- a/authority/provisioner/oidc_test.go
+++ b/authority/provisioner/oidc_test.go
@@ -411,7 +411,7 @@ func TestOIDC_AuthorizeRevoke(t *testing.T) {
 }
 
 func TestOIDC_AuthorizeRenew(t *testing.T) {
-	now := time.Now()
+	now := time.Now().Truncate(time.Second)
 	p1, err := generateOIDC()
 	assert.FatalError(t, err)
 	p2, err := generateOIDC()
diff --git a/authority/provisioner/x5c_test.go b/authority/provisioner/x5c_test.go
index 330e6e7a..18a31b04 100644
--- a/authority/provisioner/x5c_test.go
+++ b/authority/provisioner/x5c_test.go
@@ -552,7 +552,7 @@ func TestX5C_AuthorizeRevoke(t *testing.T) {
 }
 
 func TestX5C_AuthorizeRenew(t *testing.T) {
-	now := time.Now()
+	now := time.Now().Truncate(time.Second)
 	type test struct {
 		p    *X5C
 		code int