ca: Make _renewCAIfNeeded threadsafe.

This is called from many places which make sense to call independently
and should not conflict. So protect against parallel CA renewal.
Result code will never block: a single thread will process renewal,
concurrent threads will just use the still-valid latest CA.

caucase/ca.py

@@ -23,6 +23,7 @@ import datetime
 import json
 import os
 import struct
+import threading
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization, hashes, hmac
@@ -140,6 +141,7 @@ class CertificateAuthority(object):
       value given on later instanciation will be ignored.
     """
     self._storage = storage
+    self._ca_renewal_lock = threading.Lock()
     if lock_auto_sign_csr_amount:
       storage.setConfigOnce(
         _CONFIG_NAME_AUTO_SIGN_CSR_AMOUNT,
@@ -521,13 +523,18 @@ class CertificateAuthority(object):
     ca_life_periods of validity left.
     Updates self._ca_key_pairs_list .
     """
-    if not self._ca_key_pairs_list or (
+    if (
+      not self._ca_key_pairs_list or (
         self._ca_key_pairs_list[-1]['crt'].not_valid_after - datetime.datetime.utcnow()
-    ).total_seconds() / self._crt_life_time.total_seconds() <= 2:
+      ).total_seconds() / self._crt_life_time.total_seconds() <= 2
+    ) and self._ca_renewal_lock.acquire(False):
+      try:
         # No CA certificate at all or less than 2 certificate validity periods
         # left with latest CA certificate. Prepare the next one so it starts
         # getting distributed.
         self.createCAKeyPair()
+      finally:
+        self._ca_renewal_lock.release()
 
   def _getCurrentCAKeypair(self):
     """