Skip to content

ari: Only check if cert is not expired, and use proper context #328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mholt merged 6 commits into from
Jan 8, 2025
+13 −4
Merged

ari: Only check if cert is not expired, and use proper context #328

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
18e8a75
debug: Log issuer keys during iteration
mholt Jan 3, 2025
17e766b
Tweak debug log
mholt Jan 3, 2025
1cb1297
Use background context for ARI maintenance
mholt Jan 6, 2025
3c2a2a9
remove debug log; problem likely identified
mholt Jan 8, 2025
52c2b94
ba dum
mholt Jan 8, 2025
5e9b22f
Merge branch 'master' into ari-debug
mholt Jan 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 13 additions & 4 deletions handshake.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -600,13 +600,22 @@ func (cfg *Config) handshakeMaintenance(ctx context.Context, hello *tls.ClientHe
cfg.certCache.mu.Unlock()
}

// Check ARI status
if !cfg.DisableARI && cert.ari.NeedsRefresh() {
// Check ARI status, but it's only relevant if the certificate is not expired (otherwise, we already know it needs renewal!)
if !cfg.DisableARI && cert.ari.NeedsRefresh() && time.Now().Before(cert.Leaf.NotAfter) {
// update ARI in a goroutine to avoid blocking an active handshake, since the results of
// this do not strictly affect the handshake; even though the cert may be updated with
// the new ARI, it is also updated in the cache and in storage, so future handshakes
// will utilize it
go func(ctx context.Context, hello *tls.ClientHelloInfo, cert Certificate, logger *zap.Logger) {
go func(hello *tls.ClientHelloInfo, cert Certificate, logger *zap.Logger) {
// TODO: a different context that isn't tied to the handshake is probably better
// than a generic background context; maybe a longer-lived server config context,
// or something that the importing package sets on the Config struct; for example,
// a Caddy config context could be good, so that ARI updates will continue after
// the handshake goes away, but will be stopped if the underlying server is stopped
// (for now, use an unusual timeout to help recognize it in log patterns, if needed)
ctx, cancel := context.WithTimeout(context.Background(), 8*time.Minute)
defer cancel()

var err error
// we ignore the second return value here because we check renewal status below regardless
cert, _, err = cfg.updateARI(ctx, cert, logger)
Expand All @@ -617,7 +626,7 @@ func (cfg *Config) handshakeMaintenance(ctx context.Context, hello *tls.ClientHe
if err != nil {
logger.Error("renewing certificate based on updated ARI", zap.Error(err))
}
}(ctx, hello, cert, logger)
}(hello, cert, logger)
}

// We attempt to replace any certificates that were revoked.
Expand Down
Loading