From 45fba1db27eea3894e75678ed11a2ca3cec8014b Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.com>
Date: Tue, 7 Oct 2025 10:54:58 +0200
Subject: [PATCH] BUG/MINOR: acme: avoid overflow when diff > notAfter

Avoid an overflow or a negative value if notAfter < diff.

This is unlikely to provoke any problem.

Fixes issue #3138.

Must be backported to 3.2.
---
 src/acme.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/acme.c b/src/acme.c
index e302b9865..9ce93b03e 100644
--- a/src/acme.c
+++ b/src/acme.c
@@ -2425,8 +2425,10 @@ static time_t acme_schedule_date(struct ckch_store *store)
 	} else {
 		diff = 7 * 24 * 60 * 60; /* default to 7 days */
 	}
-
-	return (notAfter - diff);
+	if (notAfter > diff) /* avoid overflow */
+		return (notAfter - diff);
+	else
+		return 1; /* epoch+1 is long way expired */
 }
 
 /*