SSL expiry test fails if certificate validity equals 396 days?

[mejofi]

Just got the following result on a domain where the 1-year certificate has just been renewed;

[FAIL] SSL expiry should be less than one year (396 days)

It is within spec, issued by Sectigo. It looks like you're testing for 366 days instead of 398?

ready/ready/checks/ssl.py

Lines 98 to 107 in 48e0885

	def check_ssl_expiry_should_be_less_than_one_year(responses, **kwargs):
	ssl_expiry = get_ssl_expiry(kwargs["domain_with_no_path"], ipv6=kwargs["is_ipv6"])
	ssl_expiry_days = (ssl_expiry - date.today()).days if ssl_expiry else None
	return result(
	ssl_expiry_days and ssl_expiry_days < 366,
	f"SSL expiry should be less than one year ({ssl_expiry_days} days)",
	"ssl_expiry_max",
	**kwargs,
	)

The value to check against should be 398 instead, see;

https://support.apple.com/en-us/102028

https://stackoverflow.com/questions/62659149/why-was-398-days-chosen-for-tls-expiration