0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-12-23 22:27:38 -05:00

letsencrypt: Stubbed out OCSP staple updates

OCSP status is checked at a regular interval, and if the OCSP status changes for any of the certificates, the change callback is executed (restarts the server, updating the OCSP staple).
This commit is contained in:
Matthew Holt 2015-10-28 23:43:26 -06:00
parent 6762df415c
commit 30c949085c
3 changed files with 31 additions and 12 deletions

View file

@ -13,7 +13,7 @@ import (
)
func init() {
letsencrypt.OnRenew = func() error { return Restart(nil) }
letsencrypt.OnChange = func() error { return Restart(nil) }
}
// isLocalhost returns true if the string looks explicitly like a localhost address.

View file

@ -18,12 +18,6 @@ import (
"github.com/xenolf/lego/acme"
)
// OnRenew is the function that will be used to restart
// the application or the part of the application that uses
// the certificates maintained by this package. When at least
// one certificate is renewed, this function will be called.
var OnRenew func() error
// Activate sets up TLS for each server config in configs
// as needed. It only skips the config if the cert and key
// are already provided or if plaintext http is explicitly
@ -40,7 +34,9 @@ var OnRenew func() error
// Also note that calling this function activates asset
// management automatically, which <TODO>.
func Activate(configs []server.Config) ([]server.Config, error) {
// First identify and configure any elligible hosts for which
// TODO: Is multiple activation (before a deactivation) an error?
// First identify and configure any eligible hosts for which
// we already have certs and keys in storage from last time.
configLen := len(configs) // avoid infinite loop since this loop appends plaintext to the slice
for i := 0; i < configLen; i++ {
@ -269,6 +265,7 @@ func autoConfigure(cfg *server.Config, allConfigs []server.Config) []server.Conf
// TODO: Handle these errors better
if err == nil {
ocsp, status, err := acme.GetOCSPForCert(bundleBytes)
ocspStatus[&bundleBytes] = status
if err == nil && status == acme.OCSPGood {
cfg.TLS.OCSPStaple = ocsp
}
@ -402,3 +399,8 @@ var rsaKeySizeToUse = RSA_2048
// stopChan is used to signal the maintenance goroutine
// to terminate.
var stopChan chan struct{}
// ocspStatus maps certificate bundle to OCSP status at start.
// It is used during regular OCSP checks to see if the OCSP
// status has changed.
var ocspStatus = make(map[*[]byte]int)

View file

@ -10,6 +10,13 @@ import (
"github.com/xenolf/lego/acme"
)
// OnChange is a callback function that will be used to restart
// the application or the part of the application that uses
// the certificates maintained by this package. When at least
// one certificate is renewed or an OCSP status changes, this
// function will be called.
var OnChange func() error
// maintainAssets is a permanently-blocking function
// that loops indefinitely and, on a regular schedule, checks
// certificates for expiration and initiates a renewal of certs
@ -30,15 +37,25 @@ func maintainAssets(configs []server.Config, stopChan chan struct{}) {
for _, err := range errs {
log.Printf("[ERROR] cert renewal: %v\n", err)
}
if n > 0 && OnRenew != nil {
err := OnRenew()
if n > 0 && OnChange != nil {
err := OnChange()
if err != nil {
log.Printf("[ERROR] onrenew callback: %v\n", err)
log.Printf("[ERROR] onchange after cert renewal: %v\n", err)
}
}
}
case <-ocspTicker.C:
// TODO: Update OCSP
for bundle, oldStatus := range ocspStatus {
_, newStatus, err := acme.GetOCSPForCert(*bundle)
if err == nil && newStatus != oldStatus && OnChange != nil {
log.Printf("[INFO] ocsp status changed from %v to %v\n", oldStatus, newStatus)
err := OnChange()
if err != nil {
log.Printf("[ERROR] onchange after ocsp update: %v\n", err)
}
break
}
}
case <-stopChan:
renewalTicker.Stop()
ocspTicker.Stop()