Mirrors/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-03-21 21:09:32 +01:00
Code Issues Projects Releases Packages Wiki Activity

letsencrypt: Couple minor refactors/fixes

Browse source
This commit is contained in:
Matthew Holt 2016-01-08 11:07:35 -07:00
parent 93b301372b
commit fc928e0b3b
3 changed files with 21 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
caddy/caddy.go
View file

@ -1,4 +1,5 @@
// Package caddy implements the Caddy web server as a service. // Package caddy implements the Caddy web server as a service
// in your own Go programs.
// //
// To use this package, follow a few simple steps: // To use this package, follow a few simple steps:
// //

20
caddy/letsencrypt/letsencrypt.go
View file

@ -72,7 +72,11 @@ func Activate(configs []server.Config) ([]server.Config, error) {
// set up redirects // set up redirects
configs = MakePlaintextRedirects(configs) configs = MakePlaintextRedirects(configs)
// renew all relevant certificates that need renewal; TODO: handle errors // renew all relevant certificates that need renewal. this is important
// to do right away for a couple reasons, mainly because each restart,
// the renewal ticker is reset, so if restarts happen more often than
// the ticker interval, renewals would never happen. but doing
// it right away at start guarantees that renewals aren't missed.
renewCertificates(configs, false) renewCertificates(configs, false)
// keep certificates renewed and OCSP stapling updated // keep certificates renewed and OCSP stapling updated
@ -127,7 +131,7 @@ func ObtainCerts(configs []server.Config, optPort string) error {
} }
Obtain: Obtain:
certificate, failures := client.ObtainCertificate([]string{cfg.Host}, true) certificate, failures := client.ObtainCertificate([]string{cfg.Host}, true, nil)
if len(failures) == 0 { if len(failures) == 0 {
// Success - immediately save the certificate resource // Success - immediately save the certificate resource
err := saveCertResource(certificate) err := saveCertResource(certificate)
@ -289,11 +293,9 @@ func HostQualifies(hostname string) bool {
strings.TrimSpace(hostname) != "" && strings.TrimSpace(hostname) != "" &&
net.ParseIP(hostname) == nil && // cannot be an IP address, see: https://community.letsencrypt.org/t/certificate-for-static-ip/84/2?u=mholt net.ParseIP(hostname) == nil && // cannot be an IP address, see: https://community.letsencrypt.org/t/certificate-for-static-ip/84/2?u=mholt
// TODO: net.ParseIP also catches the two variants without brackets // These special cases can sneak through if specified with -host and with empty/no Caddyfile
hostname != "[::]" && // before parsing hostname != "[::]" &&
hostname != "::" && // after parsing hostname != "[::1]"
hostname != "[::1]" && // before parsing
hostname != "::1" // after parsing
} }
// existingCertAndKey returns true if the host has a certificate // existingCertAndKey returns true if the host has a certificate
@ -335,8 +337,8 @@ func newClientPort(leEmail, port string) (*acme.Client, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
client.SetHTTPPort(port) client.SetHTTPAddress(":" + port)
client.SetTLSPort(port) client.SetTLSAddress(":" + port)
client.ExcludeChallenges([]string{"tls-sni-01", "dns-01"}) // We can only guarantee http-01 at this time client.ExcludeChallenges([]string{"tls-sni-01", "dns-01"}) // We can only guarantee http-01 at this time
// If not registered, the user must register an account with the CA // If not registered, the user must register an account with the CA

14
caddy/letsencrypt/maintain.go
View file

@ -49,7 +49,7 @@ func maintainAssets(configs []server.Config, stopChan chan struct{}) {
case <-ocspTicker.C: case <-ocspTicker.C:
for bundle, oldResp := range ocspCache { for bundle, oldResp := range ocspCache {
// start checking OCSP staple about halfway through validity period for good measure // start checking OCSP staple about halfway through validity period for good measure
refreshTime := oldResp.ThisUpdate.Add(oldResp.NextUpdate.Sub(oldResp.ThisUpdate) / 10) refreshTime := oldResp.ThisUpdate.Add(oldResp.NextUpdate.Sub(oldResp.ThisUpdate) / 2)
if time.Now().After(refreshTime) { if time.Now().After(refreshTime) {
_, newResp, err := acme.GetOCSPForCert(*bundle) _, newResp, err := acme.GetOCSPForCert(*bundle)
if err != nil { if err != nil {
@ -112,8 +112,8 @@ func renewCertificates(configs []server.Config, useCustomPort bool) (int, []erro
// Directly convert it to days for the following checks. // Directly convert it to days for the following checks.
daysLeft := int(expTime.Sub(time.Now().UTC()).Hours() / 24) daysLeft := int(expTime.Sub(time.Now().UTC()).Hours() / 24)
// Renew with two weeks or less remaining. // Renew if getting close to expiration.
if daysLeft <= 14 { if daysLeft <= renewDaysBefore {
log.Printf("[INFO] Certificate for %s has %d days remaining; attempting renewal", cfg.Host, daysLeft) log.Printf("[INFO] Certificate for %s has %d days remaining; attempting renewal", cfg.Host, daysLeft)
var client *acme.Client var client *acme.Client
if useCustomPort { if useCustomPort {
@ -164,11 +164,13 @@ func renewCertificates(configs []server.Config, useCustomPort bool) (int, []erro
saveCertResource(newCertMeta) saveCertResource(newCertMeta)
n++ n++
} else if daysLeft <= 21 { } else if daysLeft <= renewDaysBefore+7 && daysLeft >= renewDaysBefore+6 {
// Warn on 21 days remaining. TODO: Just do this once... log.Printf("[WARNING] Certificate for %s has %d days remaining; will automatically renew when %d days remain\n", cfg.Host, daysLeft, renewDaysBefore)
log.Printf("[WARNING] Certificate for %s has %d days remaining; will automatically renew when 14 days remain\n", cfg.Host, daysLeft)
} }
} }
return n, errs return n, errs
} }
// renewDaysBefore is how many days before expiration to renew certificates.
const renewDaysBefore = 14