Go: x/crypto/acme/autocert: Update local state with new cert on failed renewal
I'm running multiple instance of autocert.Manager in a distributed environment. In some cases I'm experiencing that new certificates are not propagated to all instances and those instances end up serving expired certificates.
I have been reading through the renewal part of the package and I have a theory.
I propose that the local state should be updated in domainrenewal.do if the certificate in the cache is found to be newer than the one in the local state, and not only on successful renewals.
Thus, if any other instance has successfully renewed the certificate, it should be picked up by any other instances when their renewal timer expires.
I'm running go1.9 linux/amd64 and I'm on the master branch of the crypto repository, updated to the latest revision: 94eea52f7b742c7cbe0b03b22f0c4c8631ece122
chrj
All 7 comments
Sounds reasonable.
/cc @x1ddos
bradfitz
on 1 Dec 2017
Yeah, a it's a good one. Working on a CL now.
x1ddos
on 8 Jan 2018
Change https://golang.org/cl/89995 mentions this issue: acme/autocert: use valid certificates from the cache during renewal
gopherbot
on 25 Jan 2018
@x1ddos Ran into this as well, also pushed a first stab at fixing it. WDYT?
morgabra
on 25 Jan 2018
thanks @morgabra. yeah, I had almost identical change but never sent it for a review. so, we'll use yours. added some comments.
x1ddos
on 26 Jan 2018
We've been running the code in https://go-review.googlesource.com/c/crypto/+/89995 in prod for a few weeks now if anyone else is running into this.
pquerna
on 2 Mar 2018
Sorry, fell off my radar. Reviewed.
x1ddos
on 2 Mar 2018
Related issues
rakyll
路
3Comments
bradfitz
路
3Comments
natefinch
路
3Comments
enoodle
路
3Comments
gopherbot
路
3Comments
Most helpful comment
Yeah, a it's a good one. Working on a CL now.