x/crypto/acme/autocert: Update local state with new cert on failed renewal #22960
Labels
Milestone
Comments
|
Sounds reasonable. /cc @x1ddos |
bradfitz
added
the
NeedsFix
|
Yeah, a it's a good one. Working on a CL now. |
|
Change https://golang.org/cl/89995 mentions this issue: |
|
@x1ddos Ran into this as well, also pushed a first stab at fixing it. WDYT? |
|
thanks @morgabra. yeah, I had almost identical change but never sent it for a review. so, we'll use yours. added some comments. |
|
We've been running the code in https://go-review.googlesource.com/c/crypto/+/89995 in prod for a few weeks now if anyone else is running into this. |
|
Sorry, fell off my radar. Reviewed. |
c-expert-zigbee
pushed a commit
to c-expert-zigbee/crypto_go
that referenced
this issue
Mar 28, 2022
Currently, the renewal flow will check the cache before renewing to make sure it is actually necessary. This change modifies this flow to update the local state so the cached cert is actually used by the manager. Fixes golang/go#22960 Change-Id: I16668e8098616190938ee52858294b59bc1a5160 Reviewed-on: https://go-review.googlesource.com/89995 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
c-expert-zigbee
pushed a commit
to c-expert-zigbee/crypto_go
that referenced
this issue
Mar 29, 2022
Currently, the renewal flow will check the cache before renewing to make sure it is actually necessary. This change modifies this flow to update the local state so the cached cert is actually used by the manager. Fixes golang/go#22960 Change-Id: I16668e8098616190938ee52858294b59bc1a5160 Reviewed-on: https://go-review.googlesource.com/89995 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
c-expert-zigbee
pushed a commit
to c-expert-zigbee/crypto_go
that referenced
this issue
Mar 29, 2022
Currently, the renewal flow will check the cache before renewing to make sure it is actually necessary. This change modifies this flow to update the local state so the cached cert is actually used by the manager. Fixes golang/go#22960 Change-Id: I16668e8098616190938ee52858294b59bc1a5160 Reviewed-on: https://go-review.googlesource.com/89995 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
LewiGoddard
pushed a commit
to LewiGoddard/crypto
that referenced
this issue
Feb 16, 2023
Currently, the renewal flow will check the cache before renewing to make sure it is actually necessary. This change modifies this flow to update the local state so the cached cert is actually used by the manager. Fixes golang/go#22960 Change-Id: I16668e8098616190938ee52858294b59bc1a5160 Reviewed-on: https://go-review.googlesource.com/89995 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
BiiChris
pushed a commit
to BiiChris/crypto
that referenced
this issue
Sep 15, 2023
Currently, the renewal flow will check the cache before renewing to make sure it is actually necessary. This change modifies this flow to update the local state so the cached cert is actually used by the manager. Fixes golang/go#22960 Change-Id: I16668e8098616190938ee52858294b59bc1a5160 Reviewed-on: https://go-review.googlesource.com/89995 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I'm running multiple instance of
autocert.Managerin a distributed environment. In some cases I'm experiencing that new certificates are not propagated to all instances and those instances end up serving expired certificates.I have been reading through the renewal part of the package and I have a theory.
I propose that the local state should be updated in
domainrenewal.doif the certificate in the cache is found to be newer than the one in the local state, and not only on successful renewals.Thus, if any other instance has successfully renewed the certificate, it should be picked up by any other instances when their renewal timer expires.
I'm running
go1.9 linux/amd64and I'm on themasterbranch of thecryptorepository, updated to the latest revision:94eea52f7b742c7cbe0b03b22f0c4c8631ece122The text was updated successfully, but these errors were encountered: