Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Automatically replace revoked certs managed on-demand
When I initially wrote the auto-replace feature, it was for the standard mode of operation, which I presumed the vast majority of CertMagic deployments use. At the time, On-Demand mode of operation was fairly niche. And at the time, it looked tricky to properly enable this feature for on-demand certificates, so I shelved it considering it would be low-impact anyway. So on-demand certificates didn't benefit from auto-replace in the case of revocation (oh well, no other servers / ACME clients do that at all anyway). I guess since that time, the use of CertMagic's exclusive on-demand feature has risen in popularity. But there is no way to tell, and I had no real way of knowing whether any significant use of the feature is being had since Caddy has no telemetry. (We used to have telemetry -- benign, anonymous technical stats to help us understand usage -- but unfortunately public backlash forced us to end the program.) Based on public feedback forced by external events, it seems that on-demand TLS deployments are probably rare, but each of those few deployments actually serve thousands of sites/domains. (The true importance of this feature would have been clear months ago if Caddy had telemetry, as Caddy is the primary importer of CertMagic.) This commit should enable auto-replace for on-demand certificates. It required some refactoring and some decisions that aren't *entirely* clear are right, but that's how it goes. I haven't tested this. (Last time I worked on this feature it took me about 2 days to test properly.)
- Loading branch information
Showing
2 changed files
with
108 additions
and
92 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
9245be5
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi! FWIW we're using on-demand certmagic (via tlstunnel) for https://srht.site/. We're serving a few hundred domains.
We'll test this change. Let me know if we can help with something else.
9245be5
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for this, we're experiencing a bunch of sites breaking because of this.
However, the fix is not working for us unfortunately :(
This is the function that was patched https://github.dev/caddyserver/certmagic/blob/9245be5a2f16135b9de55567682f49a2d343e1f0/handshake.go#L469
But this if statement will still try to get the certificate from storage if it's not expired (to my understanding "revoked" and "expired" are two different things, and if a certificate is revoked it doesn't mean it's expired) https://github.dev/caddyserver/certmagic/blob/9245be5a2f16135b9de55567682f49a2d343e1f0/handshake.go#L473
We always end up in that
if
statement because as far as we can see the revoked certificates are not expired. So it ends up never force-regenerating the revoked certificates.9245be5
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cminardi Thanks so much for testing this. I wrote this patch close to midnight on a weekend, and I was very tired. I would not be surprised if this didn't work.
To clarify, are your certificates within the renewal window (yet are revoked)? If so, I imagine it's getting to this line: https://github.dev/caddyserver/certmagic/blob/9245be5a2f16135b9de55567682f49a2d343e1f0/handshake.go#L596 and the
false
is causing it to not force-renew, right? It should be pretty easy to patch it up so it forces a renewal in the case of revocation.Maybe it's simply a matter of moving the "Check OCSP staple validity" section (with that comment) up above the "Check cert expiration" section (with that comment).
(I'm working on a patch for this patch.)
9245be5
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cminardi Can you please check #166? Again, I haven't tested it, but this patch took me all day alone, so I'm hoping it's closer to being right.
9245be5
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you! I can't test with real data anymore as we had to manually regenerate the certificates to make up for letsencrypt revoking a bunch, so now they're all valid. But it looks like the new PR solves the issue in our case!
9245be5
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would take me another couple of days to test it, so I'm just going to merge it and hope it works.