http: Split 2-phase auto-HTTPS into 3 phases

This is necessary to avoid a race for sockets. Both the HTTP servers and
CertMagic solvers will try to bind the HTTP/HTTPS ports, but we need to
make sure that our HTTP servers bind first. This is kind of a new thing
now that management is async in Caddy 2.

Also update to CertMagic 0.9.2, which fixes some async use cases at
scale.

1 files changed, 11 insertions, 3 deletions

diff --git a/modules/caddyhttp/caddyhttp.go b/modules/caddyhttp/caddyhttp.go
index fc727d0..576620e 100644
--- a/modules/caddyhttp/caddyhttp.go
+++ b/modules/caddyhttp/caddyhttp.go
@@ -220,11 +220,12 @@ func (app *App) Validate() error {
 // Start runs the app. It finishes automatic HTTPS if enabled,
 // including management of certificates.
 func (app *App) Start() error {
-	// finish setting up automatic HTTPS and manage certs;
-	// this must happen before each server is started
+	// give each server a pointer to the TLS app;
+	// this is required before they are started so
+	// they can solve ACME challenges
 	err := app.automaticHTTPSPhase2()
 	if err != nil {
-		return fmt.Errorf("enabling automatic HTTPS: %v", err)
+		return fmt.Errorf("enabling automatic HTTPS, phase 2: %v", err)
 	}
 
 	for srvName, srv := range app.Servers {
@@ -297,6 +298,13 @@ func (app *App) Start() error {
 		}
 	}
 
+	// finish automatic HTTPS by finally beginning
+	// certificate management
+	err = app.automaticHTTPSPhase3()
+	if err != nil {
+		return fmt.Errorf("finalizing automatic HTTPS: %v", err)
+	}
+
 	return nil
 }