serv/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-01-05 18:44:58 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

tls: Always stop and report cert renewal error if operator is present

Browse source
This commit is contained in:
Matthew Holt 2017-01-21 15:14:04 -07:00
parent 9369b81498
commit 11adb2e5a7
No known key found for this signature in database
GPG key ID: 2A349DD577D586A5
1 changed files with 7 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
caddytls/maintain.go
View file

@ -125,14 +125,13 @@ func RenewManagedCertificates(allowPrompts bool) (err error) {
// perform renewal // perform renewal
err := cert.Config.RenewCert(renewName, allowPrompts) err := cert.Config.RenewCert(renewName, allowPrompts)
if err != nil { if err != nil {
if allowPrompts && cert.NotAfter.Sub(time.Now().UTC()) < 0 { if allowPrompts {
// Certificate renewal failed, the operator is present, and the certificate // Certificate renewal failed and the operator is present; we should stop
// is already expired; we should stop immediately and return the error. Note // immediately and return the error. See a discussion in issue 642
// that we used to do this any time a renewal failed at startup. However, // about this. For a while, we only stopped if the certificate was
// after discussion in https://github.com/mholt/caddy/issues/642 we decided to // expired, but in reality, there is no difference between reporting
// only stop startup if the certificate is expired. We still log the error // it now versus later, except that there's somebody present to deal
// otherwise. I'm not sure how permanent the change in #642 will be... // with it now, so require it.
// TODO: Get rid of the expiration check... always break on error.
return err return err
} }
log.Printf("[ERROR] %v", err) log.Printf("[ERROR] %v", err)