Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
C
caddy
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
caddy
Commits
fc928e0b
Commit
fc928e0b
authored
Jan 08, 2016
by
Matthew Holt
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
letsencrypt: Couple minor refactors/fixes
parent
93b30137
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
21 additions
and
16 deletions
+21
-16
caddy/caddy.go
caddy/caddy.go
+2
-1
caddy/letsencrypt/letsencrypt.go
caddy/letsencrypt/letsencrypt.go
+11
-9
caddy/letsencrypt/maintain.go
caddy/letsencrypt/maintain.go
+8
-6
No files found.
caddy/caddy.go
View file @
fc928e0b
// Package caddy implements the Caddy web server as a service.
// Package caddy implements the Caddy web server as a service
// in your own Go programs.
//
// To use this package, follow a few simple steps:
//
...
...
caddy/letsencrypt/letsencrypt.go
View file @
fc928e0b
...
...
@@ -72,7 +72,11 @@ func Activate(configs []server.Config) ([]server.Config, error) {
// set up redirects
configs
=
MakePlaintextRedirects
(
configs
)
// renew all relevant certificates that need renewal; TODO: handle errors
// renew all relevant certificates that need renewal. this is important
// to do right away for a couple reasons, mainly because each restart,
// the renewal ticker is reset, so if restarts happen more often than
// the ticker interval, renewals would never happen. but doing
// it right away at start guarantees that renewals aren't missed.
renewCertificates
(
configs
,
false
)
// keep certificates renewed and OCSP stapling updated
...
...
@@ -127,7 +131,7 @@ func ObtainCerts(configs []server.Config, optPort string) error {
}
Obtain
:
certificate
,
failures
:=
client
.
ObtainCertificate
([]
string
{
cfg
.
Host
},
true
)
certificate
,
failures
:=
client
.
ObtainCertificate
([]
string
{
cfg
.
Host
},
true
,
nil
)
if
len
(
failures
)
==
0
{
// Success - immediately save the certificate resource
err
:=
saveCertResource
(
certificate
)
...
...
@@ -289,11 +293,9 @@ func HostQualifies(hostname string) bool {
strings
.
TrimSpace
(
hostname
)
!=
""
&&
net
.
ParseIP
(
hostname
)
==
nil
&&
// cannot be an IP address, see: https://community.letsencrypt.org/t/certificate-for-static-ip/84/2?u=mholt
// TODO: net.ParseIP also catches the two variants without brackets
hostname
!=
"[::]"
&&
// before parsing
hostname
!=
"::"
&&
// after parsing
hostname
!=
"[::1]"
&&
// before parsing
hostname
!=
"::1"
// after parsing
// These special cases can sneak through if specified with -host and with empty/no Caddyfile
hostname
!=
"[::]"
&&
hostname
!=
"[::1]"
}
// existingCertAndKey returns true if the host has a certificate
...
...
@@ -335,8 +337,8 @@ func newClientPort(leEmail, port string) (*acme.Client, error) {
if
err
!=
nil
{
return
nil
,
err
}
client
.
SetHTTP
Port
(
port
)
client
.
SetTLS
Port
(
port
)
client
.
SetHTTP
Address
(
":"
+
port
)
client
.
SetTLS
Address
(
":"
+
port
)
client
.
ExcludeChallenges
([]
string
{
"tls-sni-01"
,
"dns-01"
})
// We can only guarantee http-01 at this time
// If not registered, the user must register an account with the CA
...
...
caddy/letsencrypt/maintain.go
View file @
fc928e0b
...
...
@@ -49,7 +49,7 @@ func maintainAssets(configs []server.Config, stopChan chan struct{}) {
case
<-
ocspTicker
.
C
:
for
bundle
,
oldResp
:=
range
ocspCache
{
// start checking OCSP staple about halfway through validity period for good measure
refreshTime
:=
oldResp
.
ThisUpdate
.
Add
(
oldResp
.
NextUpdate
.
Sub
(
oldResp
.
ThisUpdate
)
/
10
)
refreshTime
:=
oldResp
.
ThisUpdate
.
Add
(
oldResp
.
NextUpdate
.
Sub
(
oldResp
.
ThisUpdate
)
/
2
)
if
time
.
Now
()
.
After
(
refreshTime
)
{
_
,
newResp
,
err
:=
acme
.
GetOCSPForCert
(
*
bundle
)
if
err
!=
nil
{
...
...
@@ -112,8 +112,8 @@ func renewCertificates(configs []server.Config, useCustomPort bool) (int, []erro
// Directly convert it to days for the following checks.
daysLeft
:=
int
(
expTime
.
Sub
(
time
.
Now
()
.
UTC
())
.
Hours
()
/
24
)
// Renew
with two weeks or less remaining
.
if
daysLeft
<=
14
{
// Renew
if getting close to expiration
.
if
daysLeft
<=
renewDaysBefore
{
log
.
Printf
(
"[INFO] Certificate for %s has %d days remaining; attempting renewal"
,
cfg
.
Host
,
daysLeft
)
var
client
*
acme
.
Client
if
useCustomPort
{
...
...
@@ -164,11 +164,13 @@ func renewCertificates(configs []server.Config, useCustomPort bool) (int, []erro
saveCertResource
(
newCertMeta
)
n
++
}
else
if
daysLeft
<=
21
{
// Warn on 21 days remaining. TODO: Just do this once...
log
.
Printf
(
"[WARNING] Certificate for %s has %d days remaining; will automatically renew when 14 days remain
\n
"
,
cfg
.
Host
,
daysLeft
)
}
else
if
daysLeft
<=
renewDaysBefore
+
7
&&
daysLeft
>=
renewDaysBefore
+
6
{
log
.
Printf
(
"[WARNING] Certificate for %s has %d days remaining; will automatically renew when %d days remain
\n
"
,
cfg
.
Host
,
daysLeft
,
renewDaysBefore
)
}
}
return
n
,
errs
}
// renewDaysBefore is how many days before expiration to renew certificates.
const
renewDaysBefore
=
14
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment