x/crypto/acme/autocert: Certificate renewal does not check that the cache was updated #23569
Labels
Milestone
Comments
|
A future-proof link to the line in question: |
odeke-em
changed the title
c-expert-zigbee
pushed a commit
to c-expert-zigbee/crypto_go
that referenced
this issue
Mar 28, 2022
Fixes golang/go#23569 Change-Id: I0f3ffab74acd2b69da0bbec2e0e90e42c2618071 GitHub-Last-Rev: e66a888d643dacc290ef58649dcc248d1925219e GitHub-Pull-Request: golang/crypto#35 Reviewed-on: https://go-review.googlesource.com/98756 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
c-expert-zigbee
pushed a commit
to c-expert-zigbee/crypto_go
that referenced
this issue
Mar 29, 2022
Fixes golang/go#23569 Change-Id: I0f3ffab74acd2b69da0bbec2e0e90e42c2618071 GitHub-Last-Rev: e66a888d643dacc290ef58649dcc248d1925219e GitHub-Pull-Request: golang/crypto#35 Reviewed-on: https://go-review.googlesource.com/98756 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
LewiGoddard
pushed a commit
to LewiGoddard/crypto
that referenced
this issue
Feb 16, 2023
Fixes golang/go#23569 Change-Id: I0f3ffab74acd2b69da0bbec2e0e90e42c2618071 GitHub-Last-Rev: e66a888d643dacc290ef58649dcc248d1925219e GitHub-Pull-Request: golang/crypto#35 Reviewed-on: https://go-review.googlesource.com/98756 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
BiiChris
pushed a commit
to BiiChris/crypto
that referenced
this issue
Sep 15, 2023
Fixes golang/go#23569 Change-Id: I0f3ffab74acd2b69da0bbec2e0e90e42c2618071 GitHub-Last-Rev: e66a888 GitHub-Pull-Request: golang#35 Reviewed-on: https://go-review.googlesource.com/98756 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Please answer these questions before submitting your issue. Thanks!
What version of Go are you using (
go version)?N/A
Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env)?N/A
What did you do?
https://github.com/golang/crypto/blob/master/acme/autocert/renewal.go#L105
We aren't checking for errors when attempting to update the cache after a cert renewal, which could lead to renewal certs getting lost on process restart, or multiple renewals getting triggered in a distributed context.
If a cache.Put() fails, we could flag the renew as dirty and schedule a new one in the near future. The renew flow could compare the in-memory cert with the cached cert and decide if it should try to update the cache again. (Or accept a renewed cert from the cache if another node was successful)
This has a nice benefit of ensuring some sort of eventual consistency in a distributed use case too.
The text was updated successfully, but these errors were encountered: