acme autocert manager ignores valid certificates on startup



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








5















I'm building currently a service that uses acme/autocert. To use that service with more than 1 replicas, I had to write a persistent cache interface like DirCache. Then I noticed, that after restarting the service all valid certs in the Cache got ignored on the startup. The following sequence happens all the time:



  • Cache put acme_account+key (even if it exists in the cache)

  • Cache get acme_account+key

  • Cache get my.domain.net (it returns the cached cert)

  • Cache get acme_account+key

  • Cache put my.domain.net+token

  • Cache put HASH+http-01

  • Cache delete HASH+http-01

  • Cache delete my.domain.net+token

  • Cache put my.domain.net (put the new cert)

Is this the correct behavior? Because every replica would create its own cert and a persistent Cache is not possible with this circumstances



Here is my manager factory



func NewManager(d *db.DynamoDB, staging bool) *Manager 
manager := &Manager
CertCache: NewPersistentCertCache(d),


directoryURL := acme.LetsEncryptURL
if staging
directoryURL = LetsEncryptStagingURL
log.Infof("Using CA staging environment")

log.Infof("CA URI %s", directoryURL)

client := &acme.Client
DirectoryURL: directoryURL,


manager.AcmeManager = &autocert.Manager
Prompt: autocert.AcceptTOS,
HostPolicy: manager.AllowHostPolicy,
Cache: manager.CertCache,
Client: client,


return manager










share|improve this question




























    5















    I'm building currently a service that uses acme/autocert. To use that service with more than 1 replicas, I had to write a persistent cache interface like DirCache. Then I noticed, that after restarting the service all valid certs in the Cache got ignored on the startup. The following sequence happens all the time:



    • Cache put acme_account+key (even if it exists in the cache)

    • Cache get acme_account+key

    • Cache get my.domain.net (it returns the cached cert)

    • Cache get acme_account+key

    • Cache put my.domain.net+token

    • Cache put HASH+http-01

    • Cache delete HASH+http-01

    • Cache delete my.domain.net+token

    • Cache put my.domain.net (put the new cert)

    Is this the correct behavior? Because every replica would create its own cert and a persistent Cache is not possible with this circumstances



    Here is my manager factory



    func NewManager(d *db.DynamoDB, staging bool) *Manager 
    manager := &Manager
    CertCache: NewPersistentCertCache(d),


    directoryURL := acme.LetsEncryptURL
    if staging
    directoryURL = LetsEncryptStagingURL
    log.Infof("Using CA staging environment")

    log.Infof("CA URI %s", directoryURL)

    client := &acme.Client
    DirectoryURL: directoryURL,


    manager.AcmeManager = &autocert.Manager
    Prompt: autocert.AcceptTOS,
    HostPolicy: manager.AllowHostPolicy,
    Cache: manager.CertCache,
    Client: client,


    return manager










    share|improve this question
























      5












      5








      5








      I'm building currently a service that uses acme/autocert. To use that service with more than 1 replicas, I had to write a persistent cache interface like DirCache. Then I noticed, that after restarting the service all valid certs in the Cache got ignored on the startup. The following sequence happens all the time:



      • Cache put acme_account+key (even if it exists in the cache)

      • Cache get acme_account+key

      • Cache get my.domain.net (it returns the cached cert)

      • Cache get acme_account+key

      • Cache put my.domain.net+token

      • Cache put HASH+http-01

      • Cache delete HASH+http-01

      • Cache delete my.domain.net+token

      • Cache put my.domain.net (put the new cert)

      Is this the correct behavior? Because every replica would create its own cert and a persistent Cache is not possible with this circumstances



      Here is my manager factory



      func NewManager(d *db.DynamoDB, staging bool) *Manager 
      manager := &Manager
      CertCache: NewPersistentCertCache(d),


      directoryURL := acme.LetsEncryptURL
      if staging
      directoryURL = LetsEncryptStagingURL
      log.Infof("Using CA staging environment")

      log.Infof("CA URI %s", directoryURL)

      client := &acme.Client
      DirectoryURL: directoryURL,


      manager.AcmeManager = &autocert.Manager
      Prompt: autocert.AcceptTOS,
      HostPolicy: manager.AllowHostPolicy,
      Cache: manager.CertCache,
      Client: client,


      return manager










      share|improve this question














      I'm building currently a service that uses acme/autocert. To use that service with more than 1 replicas, I had to write a persistent cache interface like DirCache. Then I noticed, that after restarting the service all valid certs in the Cache got ignored on the startup. The following sequence happens all the time:



      • Cache put acme_account+key (even if it exists in the cache)

      • Cache get acme_account+key

      • Cache get my.domain.net (it returns the cached cert)

      • Cache get acme_account+key

      • Cache put my.domain.net+token

      • Cache put HASH+http-01

      • Cache delete HASH+http-01

      • Cache delete my.domain.net+token

      • Cache put my.domain.net (put the new cert)

      Is this the correct behavior? Because every replica would create its own cert and a persistent Cache is not possible with this circumstances



      Here is my manager factory



      func NewManager(d *db.DynamoDB, staging bool) *Manager 
      manager := &Manager
      CertCache: NewPersistentCertCache(d),


      directoryURL := acme.LetsEncryptURL
      if staging
      directoryURL = LetsEncryptStagingURL
      log.Infof("Using CA staging environment")

      log.Infof("CA URI %s", directoryURL)

      client := &acme.Client
      DirectoryURL: directoryURL,


      manager.AcmeManager = &autocert.Manager
      Prompt: autocert.AcceptTOS,
      HostPolicy: manager.AllowHostPolicy,
      Cache: manager.CertCache,
      Client: client,


      return manager







      go caching






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 16 '18 at 11:42









      jamijami

      175112




      175112






















          1 Answer
          1






          active

          oldest

          votes


















          3














          The solution for this question is that the cache interface and behavior works correctly. My cache implementation was faulty. I had a goroutine within the Cache.Get(...) that read from a DB to a channel, but unfortunately the outer func body did not wait for that channel and returns always a CacheMissed error. After the fix everything works fine. My fault sry






          share|improve this answer























            Your Answer






            StackExchange.ifUsing("editor", function ()
            StackExchange.using("externalEditor", function ()
            StackExchange.using("snippets", function ()
            StackExchange.snippets.init();
            );
            );
            , "code-snippets");

            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "1"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53337190%2facme-autocert-manager-ignores-valid-certificates-on-startup%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            3














            The solution for this question is that the cache interface and behavior works correctly. My cache implementation was faulty. I had a goroutine within the Cache.Get(...) that read from a DB to a channel, but unfortunately the outer func body did not wait for that channel and returns always a CacheMissed error. After the fix everything works fine. My fault sry






            share|improve this answer



























              3














              The solution for this question is that the cache interface and behavior works correctly. My cache implementation was faulty. I had a goroutine within the Cache.Get(...) that read from a DB to a channel, but unfortunately the outer func body did not wait for that channel and returns always a CacheMissed error. After the fix everything works fine. My fault sry






              share|improve this answer

























                3












                3








                3







                The solution for this question is that the cache interface and behavior works correctly. My cache implementation was faulty. I had a goroutine within the Cache.Get(...) that read from a DB to a channel, but unfortunately the outer func body did not wait for that channel and returns always a CacheMissed error. After the fix everything works fine. My fault sry






                share|improve this answer













                The solution for this question is that the cache interface and behavior works correctly. My cache implementation was faulty. I had a goroutine within the Cache.Get(...) that read from a DB to a channel, but unfortunately the outer func body did not wait for that channel and returns always a CacheMissed error. After the fix everything works fine. My fault sry







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 21 '18 at 11:46









                jamijami

                175112




                175112





























                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53337190%2facme-autocert-manager-ignores-valid-certificates-on-startup%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Top Tejano songwriter Luis Silva dead of heart attack at 64

                    政党

                    天津地下鉄3号線