tls: Evict existing certificates from cache when loading ones from disk

This commit is contained in:
Matthew Holt 2017-10-16 16:40:43 -06:00
parent 79072828a5
commit 654f26cb91
No known key found for this signature in database
GPG key ID: 2A349DD577D586A5

View file

@ -128,8 +128,10 @@ func (cfg *Config) CacheManagedCertificate(domain string) (Certificate, error) {
// cacheUnmanagedCertificatePEMFile loads a certificate for host using certFile // cacheUnmanagedCertificatePEMFile loads a certificate for host using certFile
// and keyFile, which must be in PEM format. It stores the certificate in // and keyFile, which must be in PEM format. It stores the certificate in
// memory. The Managed and OnDemand flags of the certificate will be set to // memory after evicting any other entries in the cache keyed by the names
// false. // on this certificate. In other words, it replaces existing certificates keyed
// by the names on this certificate. The Managed and OnDemand flags of the
// certificate will be set to false.
// //
// This function is safe for concurrent use. // This function is safe for concurrent use.
func cacheUnmanagedCertificatePEMFile(certFile, keyFile string) error { func cacheUnmanagedCertificatePEMFile(certFile, keyFile string) error {
@ -137,6 +139,16 @@ func cacheUnmanagedCertificatePEMFile(certFile, keyFile string) error {
if err != nil { if err != nil {
return err return err
} }
// since this is manually managed, this call might be part of a reload after
// the owner renewed a certificate; so clear cache of any previous cert first,
// otherwise the renewed certificate may never be loaded
certCacheMu.Lock()
for _, name := range cert.Names {
delete(certCache, name)
}
certCacheMu.Unlock()
cacheCertificate(cert) cacheCertificate(cert)
return nil return nil
} }