Initialize certmagic in Server.Start

This allows directives to change ACMEConfig or ACMEManager before
the server is started.
This commit is contained in:
Simon Ser 2021-02-17 18:33:07 +01:00
parent 90ac861b52
commit ac17fe976b
No known key found for this signature in database
GPG Key ID: 0FDE7BE0E88F5E48
1 changed files with 36 additions and 8 deletions

View File

@ -16,6 +16,21 @@ import (
"github.com/pires/go-proxyproto/tlvparse"
)
type acmeCache struct {
config *certmagic.Config
cache *certmagic.Cache
}
func newACMECache() *acmeCache {
cache := &acmeCache{}
cache.cache = certmagic.NewCache(certmagic.CacheOptions{
GetConfigForCert: func(certmagic.Certificate) (*certmagic.Config, error) {
return cache.config, nil
},
})
return cache
}
type Server struct {
Listeners map[string]*Listener // indexed by listening address
Frontends []*Frontend
@ -26,23 +41,23 @@ type Server struct {
ACMEManager *certmagic.ACMEManager
ACMEConfig *certmagic.Config
acmeCache *acmeCache
cancelACME context.CancelFunc
}
func NewServer() *Server {
cfg := certmagic.NewDefault()
// Make a copy of the defaults
acmeConfig := certmagic.Default
acmeManager := certmagic.DefaultACME
mgr := certmagic.NewACMEManager(cfg, certmagic.DefaultACME)
mgr.Agreed = true
acmeManager.Agreed = true
// We're a TLS server, we don't speak HTTP
mgr.DisableHTTPChallenge = true
cfg.Issuer = mgr
cfg.Revoker = mgr
acmeManager.DisableHTTPChallenge = true
return &Server{
Listeners: make(map[string]*Listener),
ACMEManager: mgr,
ACMEConfig: cfg,
ACMEManager: &acmeManager,
ACMEConfig: &acmeConfig,
}
}
@ -64,6 +79,14 @@ func (srv *Server) startACME() error {
var ctx context.Context
ctx, srv.cancelACME = context.WithCancel(context.Background())
srv.ACMEConfig = certmagic.New(srv.acmeCache.cache, *srv.ACMEConfig)
srv.ACMEManager = certmagic.NewACMEManager(srv.ACMEConfig, *srv.ACMEManager)
srv.ACMEConfig.Issuer = srv.ACMEManager
srv.ACMEConfig.Revoker = srv.ACMEManager
srv.acmeCache.config = srv.ACMEConfig
for _, cert := range srv.UnmanagedCerts {
if err := srv.ACMEConfig.CacheUnmanagedTLSCertificate(cert, nil); err != nil {
return err
@ -78,6 +101,8 @@ func (srv *Server) startACME() error {
}
func (srv *Server) Start() error {
srv.acmeCache = newACMECache()
if err := srv.startACME(); err != nil {
return err
}
@ -115,6 +140,9 @@ func (srv *Server) Replace(old *Server) error {
}
}
// Steal the old server's ACME cache
srv.acmeCache = old.acmeCache
// Restart ACME
old.cancelACME()
if err := srv.startACME(); err != nil {