Commit 410ece83 authored by Matthew Holt's avatar Matthew Holt

tls: Only require renewed cert at startup 7 days out (issue #1680)

parent ebf4279e
...@@ -25,6 +25,13 @@ const ( ...@@ -25,6 +25,13 @@ const (
// RenewDurationBefore is how long before expiration to renew certificates. // RenewDurationBefore is how long before expiration to renew certificates.
RenewDurationBefore = (24 * time.Hour) * 30 RenewDurationBefore = (24 * time.Hour) * 30
// RenewDurationBeforeAtStartup is how long before expiration to require
// a renewed certificate when the process is first starting up (see #1680).
// A wider window between RenewDurationBefore and this value will allow
// Caddy to start under duress but hopefully this duration will give it
// enough time for the blockage to be relieved.
RenewDurationBeforeAtStartup = (24 * time.Hour) * 7
// OCSPInterval is how often to check if OCSP stapling needs updating. // OCSPInterval is how often to check if OCSP stapling needs updating.
OCSPInterval = 1 * time.Hour OCSPInterval = 1 * time.Hour
) )
...@@ -126,13 +133,17 @@ func RenewManagedCertificates(allowPrompts bool) (err error) { ...@@ -126,13 +133,17 @@ func RenewManagedCertificates(allowPrompts bool) (err error) {
err := cert.Config.RenewCert(renewName, allowPrompts) err := cert.Config.RenewCert(renewName, allowPrompts)
if err != nil { if err != nil {
if allowPrompts { if allowPrompts {
// Certificate renewal failed and the operator is present; we should stop // Certificate renewal failed and the operator is present. See a discussion
// immediately and return the error. See a discussion in issue 642 // about this in issue 642. For a while, we only stopped if the certificate
// about this. For a while, we only stopped if the certificate was // was expired, but in reality, there is no difference between reporting
// expired, but in reality, there is no difference between reporting // it now versus later, except that there's somebody present to deal with
// it now versus later, except that there's somebody present to deal // it right now.
// with it now, so require it. timeLeft := cert.NotAfter.Sub(time.Now().UTC())
return err if timeLeft < RenewDurationBeforeAtStartup {
// See issue 1680. Only fail at startup if the certificate is dangerously
// close to expiration.
return err
}
} }
log.Printf("[ERROR] %v", err) log.Printf("[ERROR] %v", err)
if cert.Config.OnDemand { if cert.Config.OnDemand {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment