From 654f26cb910b90c63bf590c6723343730f3f30d0 Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Mon, 16 Oct 2017 16:40:43 -0600 Subject: [PATCH] tls: Evict existing certificates from cache when loading ones from disk --- caddytls/certificates.go | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/caddytls/certificates.go b/caddytls/certificates.go index 2f24e884..05af914f 100644 --- a/caddytls/certificates.go +++ b/caddytls/certificates.go @@ -128,8 +128,10 @@ func (cfg *Config) CacheManagedCertificate(domain string) (Certificate, error) { // cacheUnmanagedCertificatePEMFile loads a certificate for host using certFile // and keyFile, which must be in PEM format. It stores the certificate in -// memory. The Managed and OnDemand flags of the certificate will be set to -// false. +// memory after evicting any other entries in the cache keyed by the names +// on this certificate. In other words, it replaces existing certificates keyed +// by the names on this certificate. The Managed and OnDemand flags of the +// certificate will be set to false. // // This function is safe for concurrent use. func cacheUnmanagedCertificatePEMFile(certFile, keyFile string) error { @@ -137,6 +139,16 @@ func cacheUnmanagedCertificatePEMFile(certFile, keyFile string) error { if err != nil { return err } + + // since this is manually managed, this call might be part of a reload after + // the owner renewed a certificate; so clear cache of any previous cert first, + // otherwise the renewed certificate may never be loaded + certCacheMu.Lock() + for _, name := range cert.Names { + delete(certCache, name) + } + certCacheMu.Unlock() + cacheCertificate(cert) return nil }