renewal.go 3.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141
  1. // Copyright 2016 The Go Authors. All rights reserved.
  2. // Use of this source code is governed by a BSD-style
  3. // license that can be found in the LICENSE file.
  4. package autocert
  5. import (
  6. "context"
  7. "crypto"
  8. "sync"
  9. "time"
  10. )
  11. // renewJitter is the maximum deviation from Manager.RenewBefore.
  12. const renewJitter = time.Hour
  13. // domainRenewal tracks the state used by the periodic timers
  14. // renewing a single domain's cert.
  15. type domainRenewal struct {
  16. m *Manager
  17. ck certKey
  18. key crypto.Signer
  19. timerMu sync.Mutex
  20. timer *time.Timer
  21. }
  22. // start starts a cert renewal timer at the time
  23. // defined by the certificate expiration time exp.
  24. //
  25. // If the timer is already started, calling start is a noop.
  26. func (dr *domainRenewal) start(exp time.Time) {
  27. dr.timerMu.Lock()
  28. defer dr.timerMu.Unlock()
  29. if dr.timer != nil {
  30. return
  31. }
  32. dr.timer = time.AfterFunc(dr.next(exp), dr.renew)
  33. }
  34. // stop stops the cert renewal timer.
  35. // If the timer is already stopped, calling stop is a noop.
  36. func (dr *domainRenewal) stop() {
  37. dr.timerMu.Lock()
  38. defer dr.timerMu.Unlock()
  39. if dr.timer == nil {
  40. return
  41. }
  42. dr.timer.Stop()
  43. dr.timer = nil
  44. }
  45. // renew is called periodically by a timer.
  46. // The first renew call is kicked off by dr.start.
  47. func (dr *domainRenewal) renew() {
  48. dr.timerMu.Lock()
  49. defer dr.timerMu.Unlock()
  50. if dr.timer == nil {
  51. return
  52. }
  53. ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
  54. defer cancel()
  55. // TODO: rotate dr.key at some point?
  56. next, err := dr.do(ctx)
  57. if err != nil {
  58. next = renewJitter / 2
  59. next += time.Duration(pseudoRand.int63n(int64(next)))
  60. }
  61. dr.timer = time.AfterFunc(next, dr.renew)
  62. testDidRenewLoop(next, err)
  63. }
  64. // updateState locks and replaces the relevant Manager.state item with the given
  65. // state. It additionally updates dr.key with the given state's key.
  66. func (dr *domainRenewal) updateState(state *certState) {
  67. dr.m.stateMu.Lock()
  68. defer dr.m.stateMu.Unlock()
  69. dr.key = state.key
  70. dr.m.state[dr.ck] = state
  71. }
  72. // do is similar to Manager.createCert but it doesn't lock a Manager.state item.
  73. // Instead, it requests a new certificate independently and, upon success,
  74. // replaces dr.m.state item with a new one and updates cache for the given domain.
  75. //
  76. // It may lock and update the Manager.state if the expiration date of the currently
  77. // cached cert is far enough in the future.
  78. //
  79. // The returned value is a time interval after which the renewal should occur again.
  80. func (dr *domainRenewal) do(ctx context.Context) (time.Duration, error) {
  81. // a race is likely unavoidable in a distributed environment
  82. // but we try nonetheless
  83. if tlscert, err := dr.m.cacheGet(ctx, dr.ck); err == nil {
  84. next := dr.next(tlscert.Leaf.NotAfter)
  85. if next > dr.m.renewBefore()+renewJitter {
  86. signer, ok := tlscert.PrivateKey.(crypto.Signer)
  87. if ok {
  88. state := &certState{
  89. key: signer,
  90. cert: tlscert.Certificate,
  91. leaf: tlscert.Leaf,
  92. }
  93. dr.updateState(state)
  94. return next, nil
  95. }
  96. }
  97. }
  98. der, leaf, err := dr.m.authorizedCert(ctx, dr.key, dr.ck)
  99. if err != nil {
  100. return 0, err
  101. }
  102. state := &certState{
  103. key: dr.key,
  104. cert: der,
  105. leaf: leaf,
  106. }
  107. tlscert, err := state.tlscert()
  108. if err != nil {
  109. return 0, err
  110. }
  111. if err := dr.m.cachePut(ctx, dr.ck, tlscert); err != nil {
  112. return 0, err
  113. }
  114. dr.updateState(state)
  115. return dr.next(leaf.NotAfter), nil
  116. }
  117. func (dr *domainRenewal) next(expiry time.Time) time.Duration {
  118. d := expiry.Sub(dr.m.now()) - dr.m.renewBefore()
  119. // add a bit of randomness to renew deadline
  120. n := pseudoRand.int63n(int64(renewJitter))
  121. d -= time.Duration(n)
  122. if d < 0 {
  123. return 0
  124. }
  125. return d
  126. }
  127. var testDidRenewLoop = func(next time.Duration, err error) {}