aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorMatthew Holt <[email protected]>2024-04-26 15:14:20 -0600
committerMatthew Holt <[email protected]>2024-04-26 15:14:20 -0600
commitf8cafb901bbcd2c11ebff6c93804c675941d4cc4 (patch)
tree4fa5244efb3137f08f53253152d0a860ded4df0e
parent4b9860e741af75df0d7da6d6eac1f55904ae8585 (diff)
downloadcaddy-f8cafb901bbcd2c11ebff6c93804c675941d4cc4.tar.gz
caddy-f8cafb901bbcd2c11ebff6c93804c675941d4cc4.zip
Make sure new TLS app manages configured certs
-rw-r--r--modules/caddytls/tls.go15
1 files changed, 14 insertions, 1 deletions
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index c59d8e975..095571ae6 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -360,11 +360,16 @@ func (t *TLS) Cleanup() error {
// app instance (which is being stopped) that are not managed or loaded by the
// new app instance (which just started), and remove them from the cache
var noLongerManaged []certmagic.SubjectIssuer
- var noLongerLoaded []string
+ var reManage, noLongerLoaded []string
for subj := range t.managing {
if _, ok := nextTLSApp.managing[subj]; !ok {
name, issuerKey, _ := strings.Cut(subj, "~")
noLongerManaged = append(noLongerManaged, certmagic.SubjectIssuer{Subject: name, IssuerKey: issuerKey})
+ // if the new TLS app is managing a cert for the same subject we are evicting,
+ // make sure it obtains or loads the cert using that config afterwards
+ if _, ok := nextTLSApp.managing[name]; ok {
+ reManage = append(reManage, name)
+ }
}
}
for hash := range t.loaded {
@@ -377,6 +382,14 @@ func (t *TLS) Cleanup() error {
certCache.RemoveManaged(noLongerManaged)
certCache.Remove(noLongerLoaded)
certCacheMu.RUnlock()
+
+ // give the new TLS app a "kick" to manage certs that it is configured for
+ // with its own configuration instead of the one we just evicted
+ if err := nextTLSApp.Manage(reManage); err != nil {
+ t.logger.Error("re-managing unloaded certificates with new config",
+ zap.Strings("subjects", reManage),
+ zap.Error(err))
+ }
} else {
// no more TLS app running, so delete in-memory cert cache
certCache.Stop()