Skip to content

Commit 4d5c08f

Browse files
mholtmholt
authored
ari: Only check if cert is not expired, and use proper context (#328)
* debug: Log issuer keys during iteration * Tweak debug log * Use background context for ARI maintenance * remove debug log; problem likely identified * ba dum
1 parent bb0f300 commit 4d5c08f

File tree

1 file changed

+13
-4
lines changed

1 file changed

+13
-4
lines changed

handshake.go

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -600,13 +600,22 @@ func (cfg *Config) handshakeMaintenance(ctx context.Context, hello *tls.ClientHe
600600
cfg.certCache.mu.Unlock()
601601
}
602602

603-
// Check ARI status
604-
if !cfg.DisableARI && cert.ari.NeedsRefresh() {
603+
// Check ARI status, but it's only relevant if the certificate is not expired (otherwise, we already know it needs renewal!)
604+
if !cfg.DisableARI && cert.ari.NeedsRefresh() && time.Now().Before(cert.Leaf.NotAfter) {
605605
// update ARI in a goroutine to avoid blocking an active handshake, since the results of
606606
// this do not strictly affect the handshake; even though the cert may be updated with
607607
// the new ARI, it is also updated in the cache and in storage, so future handshakes
608608
// will utilize it
609-
go func(ctx context.Context, hello *tls.ClientHelloInfo, cert Certificate, logger *zap.Logger) {
609+
go func(hello *tls.ClientHelloInfo, cert Certificate, logger *zap.Logger) {
610+
// TODO: a different context that isn't tied to the handshake is probably better
611+
// than a generic background context; maybe a longer-lived server config context,
612+
// or something that the importing package sets on the Config struct; for example,
613+
// a Caddy config context could be good, so that ARI updates will continue after
614+
// the handshake goes away, but will be stopped if the underlying server is stopped
615+
// (for now, use an unusual timeout to help recognize it in log patterns, if needed)
616+
ctx, cancel := context.WithTimeout(context.Background(), 8*time.Minute)
617+
defer cancel()
618+
610619
var err error
611620
// we ignore the second return value here because we check renewal status below regardless
612621
cert, _, err = cfg.updateARI(ctx, cert, logger)
@@ -617,7 +626,7 @@ func (cfg *Config) handshakeMaintenance(ctx context.Context, hello *tls.ClientHe
617626
if err != nil {
618627
logger.Error("renewing certificate based on updated ARI", zap.Error(err))
619628
}
620-
}(ctx, hello, cert, logger)
629+
}(hello, cert, logger)
621630
}
622631

623632
// We attempt to replace any certificates that were revoked.

0 commit comments

Comments
 (0)