diff options
author | Matthew Holt <[email protected]> | 2024-04-26 15:14:20 -0600 |
---|---|---|
committer | Matthew Holt <[email protected]> | 2024-04-26 15:14:20 -0600 |
commit | f8cafb901bbcd2c11ebff6c93804c675941d4cc4 (patch) | |
tree | 4fa5244efb3137f08f53253152d0a860ded4df0e | |
parent | 4b9860e741af75df0d7da6d6eac1f55904ae8585 (diff) | |
download | caddy-f8cafb901bbcd2c11ebff6c93804c675941d4cc4.tar.gz caddy-f8cafb901bbcd2c11ebff6c93804c675941d4cc4.zip |
Make sure new TLS app manages configured certs
-rw-r--r-- | modules/caddytls/tls.go | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index c59d8e975..095571ae6 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -360,11 +360,16 @@ func (t *TLS) Cleanup() error { // app instance (which is being stopped) that are not managed or loaded by the // new app instance (which just started), and remove them from the cache var noLongerManaged []certmagic.SubjectIssuer - var noLongerLoaded []string + var reManage, noLongerLoaded []string for subj := range t.managing { if _, ok := nextTLSApp.managing[subj]; !ok { name, issuerKey, _ := strings.Cut(subj, "~") noLongerManaged = append(noLongerManaged, certmagic.SubjectIssuer{Subject: name, IssuerKey: issuerKey}) + // if the new TLS app is managing a cert for the same subject we are evicting, + // make sure it obtains or loads the cert using that config afterwards + if _, ok := nextTLSApp.managing[name]; ok { + reManage = append(reManage, name) + } } } for hash := range t.loaded { @@ -377,6 +382,14 @@ func (t *TLS) Cleanup() error { certCache.RemoveManaged(noLongerManaged) certCache.Remove(noLongerLoaded) certCacheMu.RUnlock() + + // give the new TLS app a "kick" to manage certs that it is configured for + // with its own configuration instead of the one we just evicted + if err := nextTLSApp.Manage(reManage); err != nil { + t.logger.Error("re-managing unloaded certificates with new config", + zap.Strings("subjects", reManage), + zap.Error(err)) + } } else { // no more TLS app running, so delete in-memory cert cache certCache.Stop() |