mirror of
https://github.com/caddyserver/caddy.git
synced 2025-01-07 11:28:48 +03:00
tls: Only require renewed cert at startup 7 days out (issue #1680)
This commit is contained in:
parent
ebf4279e98
commit
410ece831f
1 changed files with 18 additions and 7 deletions
|
@ -25,6 +25,13 @@ const (
|
||||||
// RenewDurationBefore is how long before expiration to renew certificates.
|
// RenewDurationBefore is how long before expiration to renew certificates.
|
||||||
RenewDurationBefore = (24 * time.Hour) * 30
|
RenewDurationBefore = (24 * time.Hour) * 30
|
||||||
|
|
||||||
|
// RenewDurationBeforeAtStartup is how long before expiration to require
|
||||||
|
// a renewed certificate when the process is first starting up (see #1680).
|
||||||
|
// A wider window between RenewDurationBefore and this value will allow
|
||||||
|
// Caddy to start under duress but hopefully this duration will give it
|
||||||
|
// enough time for the blockage to be relieved.
|
||||||
|
RenewDurationBeforeAtStartup = (24 * time.Hour) * 7
|
||||||
|
|
||||||
// OCSPInterval is how often to check if OCSP stapling needs updating.
|
// OCSPInterval is how often to check if OCSP stapling needs updating.
|
||||||
OCSPInterval = 1 * time.Hour
|
OCSPInterval = 1 * time.Hour
|
||||||
)
|
)
|
||||||
|
@ -126,13 +133,17 @@ func RenewManagedCertificates(allowPrompts bool) (err error) {
|
||||||
err := cert.Config.RenewCert(renewName, allowPrompts)
|
err := cert.Config.RenewCert(renewName, allowPrompts)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if allowPrompts {
|
if allowPrompts {
|
||||||
// Certificate renewal failed and the operator is present; we should stop
|
// Certificate renewal failed and the operator is present. See a discussion
|
||||||
// immediately and return the error. See a discussion in issue 642
|
// about this in issue 642. For a while, we only stopped if the certificate
|
||||||
// about this. For a while, we only stopped if the certificate was
|
// was expired, but in reality, there is no difference between reporting
|
||||||
// expired, but in reality, there is no difference between reporting
|
// it now versus later, except that there's somebody present to deal with
|
||||||
// it now versus later, except that there's somebody present to deal
|
// it right now.
|
||||||
// with it now, so require it.
|
timeLeft := cert.NotAfter.Sub(time.Now().UTC())
|
||||||
return err
|
if timeLeft < RenewDurationBeforeAtStartup {
|
||||||
|
// See issue 1680. Only fail at startup if the certificate is dangerously
|
||||||
|
// close to expiration.
|
||||||
|
return err
|
||||||
|
}
|
||||||
}
|
}
|
||||||
log.Printf("[ERROR] %v", err)
|
log.Printf("[ERROR] %v", err)
|
||||||
if cert.Config.OnDemand {
|
if cert.Config.OnDemand {
|
||||||
|
|
Loading…
Reference in a new issue