fix: deflake //rs/registry/canister:registry_canister_integration_test_tests/rate_limits (#9172)

basvandijk · web-flow · commit 2f8ef5bac55b · 2026-03-04T14:54:03.000Z
## Root Cause

The test uses `.with_current_time()` to set the state machine's clock to
`SystemTime::now()` at build time. However, `prepare_add_node_payload`
generates TLS certificates using the real system clock (via
`generate_node_keys_once`). The CSP vault sets the certificate's
`notBefore` to `system_time - 2_minutes`.

As the test runs its loop of 70 add/remove node iterations (~2 minutes
of wall-clock time), the real system time advances while the state
machine's time drifts behind. When the registry canister validates the
TLS certificate, it compares the cert's `notBefore` against the state
machine's time. If the state machine's time has fallen far enough behind
the system time that `system_time - 2min &gt; state_machine_time`, the
validation fails with:

```
invalid TLS certificate: notBefore date is in the future compared to current time
```

All 11 flaky failures in the past week show this exact pattern — the
`notBefore` is 1–5 seconds ahead of the state machine's clock.

## Fix

Call `env.set_time(SystemTime::now())` before each `add_node` call to
resync the state machine's clock with the system clock. This is a
well-established pattern used in other state machine tests (e.g.,
`gtc.rs`, `node_provider_remuneration.rs`).

---
This PR was created following the steps in
`.claude/skills/fix-flaky-tests/SKILL.md`.
diff --git a/rs/registry/canister/tests/rate_limits.rs b/rs/registry/canister/tests/rate_limits.rs
@@ -14,6 +14,7 @@ use registry_canister::{
     init::RegistryCanisterInitPayloadBuilder,
     mutations::do_add_node_operator::AddNodeOperatorPayload,
 };
+use std::time::SystemTime;
 
 /// StateMachine test that verifies rate limiting works correctly for node operator operations
 #[test]
@@ -70,6 +71,11 @@ fn test_rate_limiting_state_machine() {
     };
 
     for _ in 0..70 {
+        // Sync state machine time with system time so that TLS certificates
+        // generated by `prepare_add_node_payload` (which uses the system clock)
+        // have a `notBefore` that is not in the future relative to the state
+        // machine's time.
+        env.set_time(SystemTime::now());
         // Create a simple add_node payload for testing with unique IP addresses
         let add_node_payload = next_add_node_payload(); // Use unique IDs
 
@@ -94,6 +100,7 @@ fn test_rate_limiting_state_machine() {
         .unwrap();
     }
 
+    env.set_time(SystemTime::now());
     let add_node_payload = next_add_node_payload();
     let error = env
         .execute_ingress_as(
