summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthew Holt <mholt@users.noreply.github.com>2021-06-03 12:24:35 -0600
committerMatthew Holt <mholt@users.noreply.github.com>2021-06-05 11:47:44 -0600
commit323ffd20764e0f31a26ac700952adbb937b9eb69 (patch)
treed285fc1065432f6bfaefe996620694fe7854f027
parent2a8109468ce8520fa96e8a5139a350a1a68cbd26 (diff)
admin: Replace admin cert cache when reloading (fix #4184)
-rw-r--r--admin.go20
1 files changed, 10 insertions, 10 deletions
diff --git a/admin.go b/admin.go
index 51eb0cc..8eef916 100644
--- a/admin.go
+++ b/admin.go
@@ -364,11 +364,6 @@ func manageIdentity(ctx Context, cfg *Config) error {
return nil
}
- oldIdentityCertCache := identityCertCache
- if oldIdentityCertCache != nil {
- defer oldIdentityCertCache.Stop()
- }
-
// set default issuers; this is pretty hacky because we can't
// import the caddytls package -- but it works
if cfg.Admin.Identity.IssuersRaw == nil {
@@ -389,8 +384,13 @@ func manageIdentity(ctx Context, cfg *Config) error {
}
}
+ // we'll make a new cache when we make the CertMagic config, so stop any previous cache
+ if identityCertCache != nil {
+ identityCertCache.Stop()
+ }
+
logger := Log().Named("admin.identity")
- cmCfg := cfg.Admin.Identity.certmagicConfig(logger)
+ cmCfg := cfg.Admin.Identity.certmagicConfig(logger, true)
// issuers have circular dependencies with the configs because,
// as explained in the caddytls package, they need access to the
@@ -456,7 +456,7 @@ func replaceRemoteAdminServer(ctx Context, cfg *Config) error {
}
// create TLS config that will enforce mutual authentication
- cmCfg := cfg.Admin.Identity.certmagicConfig(remoteLogger)
+ cmCfg := cfg.Admin.Identity.certmagicConfig(remoteLogger, false)
tlsConfig := cmCfg.TLSConfig()
tlsConfig.NextProtos = nil // this server does not solve ACME challenges
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
@@ -499,7 +499,7 @@ func replaceRemoteAdminServer(ctx Context, cfg *Config) error {
return nil
}
-func (ident *IdentityConfig) certmagicConfig(logger *zap.Logger) *certmagic.Config {
+func (ident *IdentityConfig) certmagicConfig(logger *zap.Logger, makeCache bool) *certmagic.Config {
if ident == nil {
// user might not have configured identity; that's OK, we can still make a
// certmagic config, although it'll be mostly useless for remote management
@@ -510,7 +510,7 @@ func (ident *IdentityConfig) certmagicConfig(logger *zap.Logger) *certmagic.Conf
Logger: logger,
Issuers: ident.issuers,
}
- if identityCertCache == nil {
+ if makeCache {
identityCertCache = certmagic.NewCache(certmagic.CacheOptions{
GetConfigForCert: func(certmagic.Certificate) (*certmagic.Config, error) {
return cmCfg, nil
@@ -533,7 +533,7 @@ func (ctx Context) IdentityCredentials(logger *zap.Logger) ([]tls.Certificate, e
if logger == nil {
logger = Log()
}
- magic := ident.certmagicConfig(logger)
+ magic := ident.certmagicConfig(logger, false)
return magic.ClientCredentials(ctx, ident.Identifiers)
}