2020-05-09 19:09:27 +02:00
|
|
|
// Copyright 2016 The Go Authors. All rights reserved.
|
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
|
|
package autocert
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"crypto"
|
|
|
|
|
"sync"
|
|
|
|
|
"time"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// renewJitter is the maximum deviation from Manager.RenewBefore.
|
|
|
|
|
const renewJitter = time.Hour
|
|
|
|
|
|
|
|
|
|
// domainRenewal tracks the state used by the periodic timers
|
|
|
|
|
// renewing a single domain's cert.
|
|
|
|
|
type domainRenewal struct {
|
|
|
|
|
m *Manager
|
|
|
|
|
ck certKey
|
|
|
|
|
key crypto.Signer
|
|
|
|
|
|
2022-03-26 12:13:52 +01:00
|
|
|
timerMu sync.Mutex
|
|
|
|
|
timer *time.Timer
|
|
|
|
|
timerClose chan struct{} // if non-nil, renew closes this channel (and nils out the timer fields) instead of running
|
2020-05-09 19:09:27 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// start starts a cert renewal timer at the time
|
|
|
|
|
// defined by the certificate expiration time exp.
|
|
|
|
|
//
|
|
|
|
|
// If the timer is already started, calling start is a noop.
|
|
|
|
|
func (dr *domainRenewal) start(exp time.Time) {
|
|
|
|
|
dr.timerMu.Lock()
|
|
|
|
|
defer dr.timerMu.Unlock()
|
|
|
|
|
if dr.timer != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
dr.timer = time.AfterFunc(dr.next(exp), dr.renew)
|
|
|
|
|
}
|
|
|
|
|
|
2022-03-26 12:13:52 +01:00
|
|
|
// stop stops the cert renewal timer and waits for any in-flight calls to renew
|
|
|
|
|
// to complete. If the timer is already stopped, calling stop is a noop.
|
2020-05-09 19:09:27 +02:00
|
|
|
func (dr *domainRenewal) stop() {
|
|
|
|
|
dr.timerMu.Lock()
|
|
|
|
|
defer dr.timerMu.Unlock()
|
2022-03-26 12:13:52 +01:00
|
|
|
for {
|
|
|
|
|
if dr.timer == nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if dr.timer.Stop() {
|
|
|
|
|
dr.timer = nil
|
|
|
|
|
return
|
|
|
|
|
} else {
|
|
|
|
|
// dr.timer fired, and we acquired dr.timerMu before the renew callback did.
|
|
|
|
|
// (We know this because otherwise the renew callback would have reset dr.timer!)
|
|
|
|
|
timerClose := make(chan struct{})
|
|
|
|
|
dr.timerClose = timerClose
|
|
|
|
|
dr.timerMu.Unlock()
|
|
|
|
|
<-timerClose
|
|
|
|
|
dr.timerMu.Lock()
|
|
|
|
|
}
|
2020-05-09 19:09:27 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// renew is called periodically by a timer.
|
|
|
|
|
// The first renew call is kicked off by dr.start.
|
|
|
|
|
func (dr *domainRenewal) renew() {
|
|
|
|
|
dr.timerMu.Lock()
|
|
|
|
|
defer dr.timerMu.Unlock()
|
2022-03-26 12:13:52 +01:00
|
|
|
if dr.timerClose != nil {
|
|
|
|
|
close(dr.timerClose)
|
|
|
|
|
dr.timer, dr.timerClose = nil, nil
|
2020-05-09 19:09:27 +02:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
|
|
|
|
|
defer cancel()
|
|
|
|
|
// TODO: rotate dr.key at some point?
|
|
|
|
|
next, err := dr.do(ctx)
|
|
|
|
|
if err != nil {
|
|
|
|
|
next = renewJitter / 2
|
|
|
|
|
next += time.Duration(pseudoRand.int63n(int64(next)))
|
|
|
|
|
}
|
|
|
|
|
testDidRenewLoop(next, err)
|
2022-03-26 12:13:52 +01:00
|
|
|
dr.timer = time.AfterFunc(next, dr.renew)
|
2020-05-09 19:09:27 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// updateState locks and replaces the relevant Manager.state item with the given
|
|
|
|
|
// state. It additionally updates dr.key with the given state's key.
|
|
|
|
|
func (dr *domainRenewal) updateState(state *certState) {
|
|
|
|
|
dr.m.stateMu.Lock()
|
|
|
|
|
defer dr.m.stateMu.Unlock()
|
|
|
|
|
dr.key = state.key
|
|
|
|
|
dr.m.state[dr.ck] = state
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// do is similar to Manager.createCert but it doesn't lock a Manager.state item.
|
|
|
|
|
// Instead, it requests a new certificate independently and, upon success,
|
|
|
|
|
// replaces dr.m.state item with a new one and updates cache for the given domain.
|
|
|
|
|
//
|
|
|
|
|
// It may lock and update the Manager.state if the expiration date of the currently
|
|
|
|
|
// cached cert is far enough in the future.
|
|
|
|
|
//
|
|
|
|
|
// The returned value is a time interval after which the renewal should occur again.
|
|
|
|
|
func (dr *domainRenewal) do(ctx context.Context) (time.Duration, error) {
|
|
|
|
|
// a race is likely unavoidable in a distributed environment
|
|
|
|
|
// but we try nonetheless
|
|
|
|
|
if tlscert, err := dr.m.cacheGet(ctx, dr.ck); err == nil {
|
|
|
|
|
next := dr.next(tlscert.Leaf.NotAfter)
|
|
|
|
|
if next > dr.m.renewBefore()+renewJitter {
|
|
|
|
|
signer, ok := tlscert.PrivateKey.(crypto.Signer)
|
|
|
|
|
if ok {
|
|
|
|
|
state := &certState{
|
|
|
|
|
key: signer,
|
|
|
|
|
cert: tlscert.Certificate,
|
|
|
|
|
leaf: tlscert.Leaf,
|
|
|
|
|
}
|
|
|
|
|
dr.updateState(state)
|
|
|
|
|
return next, nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
der, leaf, err := dr.m.authorizedCert(ctx, dr.key, dr.ck)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return 0, err
|
|
|
|
|
}
|
|
|
|
|
state := &certState{
|
|
|
|
|
key: dr.key,
|
|
|
|
|
cert: der,
|
|
|
|
|
leaf: leaf,
|
|
|
|
|
}
|
|
|
|
|
tlscert, err := state.tlscert()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return 0, err
|
|
|
|
|
}
|
|
|
|
|
if err := dr.m.cachePut(ctx, dr.ck, tlscert); err != nil {
|
|
|
|
|
return 0, err
|
|
|
|
|
}
|
|
|
|
|
dr.updateState(state)
|
|
|
|
|
return dr.next(leaf.NotAfter), nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (dr *domainRenewal) next(expiry time.Time) time.Duration {
|
|
|
|
|
d := expiry.Sub(dr.m.now()) - dr.m.renewBefore()
|
|
|
|
|
// add a bit of randomness to renew deadline
|
|
|
|
|
n := pseudoRand.int63n(int64(renewJitter))
|
|
|
|
|
d -= time.Duration(n)
|
|
|
|
|
if d < 0 {
|
|
|
|
|
return 0
|
|
|
|
|
}
|
|
|
|
|
return d
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var testDidRenewLoop = func(next time.Duration, err error) {}
|
