From d59a5b222f7a7bc22f73818a50a1d41cb8701c60 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Thu, 19 Sep 2019 13:42:24 -0700
Subject: [PATCH] Truncate to seconds to avoid rounding up times.

It can cause that certs are not valid yet, if they are used right away.
---
 authority/provisioner/sign_ssh_options.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/authority/provisioner/sign_ssh_options.go b/authority/provisioner/sign_ssh_options.go
index 8ba35979..94a77c50 100644
--- a/authority/provisioner/sign_ssh_options.go
+++ b/authority/provisioner/sign_ssh_options.go
@@ -216,7 +216,7 @@ func (m *sshCertificateValidityModifier) Modify(cert *ssh.Certificate) error {
 	}
 
 	if cert.ValidAfter == 0 {
-		cert.ValidAfter = uint64(now().Add(-1 * time.Minute).Unix())
+		cert.ValidAfter = uint64(now().Truncate(time.Second).Unix())
 	}
 	if cert.ValidBefore == 0 {
 		t := time.Unix(int64(cert.ValidAfter), 0)