This should probably been part of my last diff, but I noticed it only on commit... acme-client contains the same mistake as rpki-client had: all times in certificates are expressed in GMT, so using the TZ dependent output of mktime() and mixing it with the output of time(NULL) is wrong.
I don't think it matters all that much here that we might be off by half a day compared to the 30 days RENEW_ALLOW, but it's still wrong. Index: revokeproc.c =================================================================== RCS file: /cvs/src/usr.sbin/acme-client/revokeproc.c,v retrieving revision 1.22 diff -u -p -r1.22 revokeproc.c --- revokeproc.c 15 Dec 2022 16:59:04 -0000 1.22 +++ revokeproc.c 15 Dec 2022 17:02:14 -0000 @@ -54,7 +54,7 @@ X509expires(X509 *x) return -1; } - return mktime(&t); + return timegm(&t); } int