ari: Nil check for RetryAfter time in storedCert

Fixes a reported panic

Author: mholt

maintain.go

@@ -419,16 +419,16 @@ func (certCache *Cache) updateOCSPStaples(ctx context.Context) {
 // than that of a certificate that is already loaded, along with the value from
 // storage.
 func (cfg *Config) storageHasNewerARI(ctx context.Context, cert Certificate) (bool, acme.RenewalInfo, error) {
-	storedCertData, err := cfg.loadStoredACMECertificateMetadata(ctx, cert)
-	if err != nil || storedCertData.RenewalInfo == nil {
+	storedCert, err := cfg.loadStoredACMECertificateMetadata(ctx, cert)
+	if err != nil || storedCert.RenewalInfo == nil || storedCert.RenewalInfo.RetryAfter == nil {
 		return false, acme.RenewalInfo{}, err
 	}
 	// prefer stored info if it has a window and the loaded one doesn't,
 	// or if the one in storage has a later RetryAfter (though I suppose
 	// it's not guaranteed, typically those will move forward in time)
-	if (!cert.ari.HasWindow() && storedCertData.RenewalInfo.HasWindow()) ||
-		(cert.ari.RetryAfter == nil || storedCertData.RenewalInfo.RetryAfter.After(*cert.ari.RetryAfter)) {
-		return true, *storedCertData.RenewalInfo, nil
+	if (!cert.ari.HasWindow() && storedCert.RenewalInfo.HasWindow()) ||
+		(cert.ari.RetryAfter == nil || storedCert.RenewalInfo.RetryAfter.After(*cert.ari.RetryAfter)) {
+		return true, *storedCert.RenewalInfo, nil
 	}
 	return false, acme.RenewalInfo{}, nil
 }