acme autocert manager ignores valid certificates on startup
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I'm building currently a service that uses acme/autocert. To use that service with more than 1 replicas, I had to write a persistent cache interface like DirCache. Then I noticed, that after restarting the service all valid certs in the Cache got ignored on the startup. The following sequence happens all the time:
- Cache put acme_account+key (even if it exists in the cache)
- Cache get acme_account+key
- Cache get my.domain.net (it returns the cached cert)
- Cache get acme_account+key
- Cache put my.domain.net+token
- Cache put HASH+http-01
- Cache delete HASH+http-01
- Cache delete my.domain.net+token
- Cache put my.domain.net (put the new cert)
Is this the correct behavior? Because every replica would create its own cert and a persistent Cache is not possible with this circumstances
Here is my manager factory
func NewManager(d *db.DynamoDB, staging bool) *Manager
manager := &Manager
CertCache: NewPersistentCertCache(d),
directoryURL := acme.LetsEncryptURL
if staging
directoryURL = LetsEncryptStagingURL
log.Infof("Using CA staging environment")
log.Infof("CA URI %s", directoryURL)
client := &acme.Client
DirectoryURL: directoryURL,
manager.AcmeManager = &autocert.Manager
Prompt: autocert.AcceptTOS,
HostPolicy: manager.AllowHostPolicy,
Cache: manager.CertCache,
Client: client,
return manager
go caching
add a comment |
I'm building currently a service that uses acme/autocert. To use that service with more than 1 replicas, I had to write a persistent cache interface like DirCache. Then I noticed, that after restarting the service all valid certs in the Cache got ignored on the startup. The following sequence happens all the time:
- Cache put acme_account+key (even if it exists in the cache)
- Cache get acme_account+key
- Cache get my.domain.net (it returns the cached cert)
- Cache get acme_account+key
- Cache put my.domain.net+token
- Cache put HASH+http-01
- Cache delete HASH+http-01
- Cache delete my.domain.net+token
- Cache put my.domain.net (put the new cert)
Is this the correct behavior? Because every replica would create its own cert and a persistent Cache is not possible with this circumstances
Here is my manager factory
func NewManager(d *db.DynamoDB, staging bool) *Manager
manager := &Manager
CertCache: NewPersistentCertCache(d),
directoryURL := acme.LetsEncryptURL
if staging
directoryURL = LetsEncryptStagingURL
log.Infof("Using CA staging environment")
log.Infof("CA URI %s", directoryURL)
client := &acme.Client
DirectoryURL: directoryURL,
manager.AcmeManager = &autocert.Manager
Prompt: autocert.AcceptTOS,
HostPolicy: manager.AllowHostPolicy,
Cache: manager.CertCache,
Client: client,
return manager
go caching
add a comment |
I'm building currently a service that uses acme/autocert. To use that service with more than 1 replicas, I had to write a persistent cache interface like DirCache. Then I noticed, that after restarting the service all valid certs in the Cache got ignored on the startup. The following sequence happens all the time:
- Cache put acme_account+key (even if it exists in the cache)
- Cache get acme_account+key
- Cache get my.domain.net (it returns the cached cert)
- Cache get acme_account+key
- Cache put my.domain.net+token
- Cache put HASH+http-01
- Cache delete HASH+http-01
- Cache delete my.domain.net+token
- Cache put my.domain.net (put the new cert)
Is this the correct behavior? Because every replica would create its own cert and a persistent Cache is not possible with this circumstances
Here is my manager factory
func NewManager(d *db.DynamoDB, staging bool) *Manager
manager := &Manager
CertCache: NewPersistentCertCache(d),
directoryURL := acme.LetsEncryptURL
if staging
directoryURL = LetsEncryptStagingURL
log.Infof("Using CA staging environment")
log.Infof("CA URI %s", directoryURL)
client := &acme.Client
DirectoryURL: directoryURL,
manager.AcmeManager = &autocert.Manager
Prompt: autocert.AcceptTOS,
HostPolicy: manager.AllowHostPolicy,
Cache: manager.CertCache,
Client: client,
return manager
go caching
I'm building currently a service that uses acme/autocert. To use that service with more than 1 replicas, I had to write a persistent cache interface like DirCache. Then I noticed, that after restarting the service all valid certs in the Cache got ignored on the startup. The following sequence happens all the time:
- Cache put acme_account+key (even if it exists in the cache)
- Cache get acme_account+key
- Cache get my.domain.net (it returns the cached cert)
- Cache get acme_account+key
- Cache put my.domain.net+token
- Cache put HASH+http-01
- Cache delete HASH+http-01
- Cache delete my.domain.net+token
- Cache put my.domain.net (put the new cert)
Is this the correct behavior? Because every replica would create its own cert and a persistent Cache is not possible with this circumstances
Here is my manager factory
func NewManager(d *db.DynamoDB, staging bool) *Manager
manager := &Manager
CertCache: NewPersistentCertCache(d),
directoryURL := acme.LetsEncryptURL
if staging
directoryURL = LetsEncryptStagingURL
log.Infof("Using CA staging environment")
log.Infof("CA URI %s", directoryURL)
client := &acme.Client
DirectoryURL: directoryURL,
manager.AcmeManager = &autocert.Manager
Prompt: autocert.AcceptTOS,
HostPolicy: manager.AllowHostPolicy,
Cache: manager.CertCache,
Client: client,
return manager
go caching
go caching
asked Nov 16 '18 at 11:42
jamijami
175112
175112
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
The solution for this question is that the cache interface and behavior works correctly. My cache implementation was faulty. I had a goroutine within the Cache.Get(...) that read from a DB to a channel, but unfortunately the outer func body did not wait for that channel and returns always a CacheMissed error. After the fix everything works fine. My fault sry
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53337190%2facme-autocert-manager-ignores-valid-certificates-on-startup%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The solution for this question is that the cache interface and behavior works correctly. My cache implementation was faulty. I had a goroutine within the Cache.Get(...) that read from a DB to a channel, but unfortunately the outer func body did not wait for that channel and returns always a CacheMissed error. After the fix everything works fine. My fault sry
add a comment |
The solution for this question is that the cache interface and behavior works correctly. My cache implementation was faulty. I had a goroutine within the Cache.Get(...) that read from a DB to a channel, but unfortunately the outer func body did not wait for that channel and returns always a CacheMissed error. After the fix everything works fine. My fault sry
add a comment |
The solution for this question is that the cache interface and behavior works correctly. My cache implementation was faulty. I had a goroutine within the Cache.Get(...) that read from a DB to a channel, but unfortunately the outer func body did not wait for that channel and returns always a CacheMissed error. After the fix everything works fine. My fault sry
The solution for this question is that the cache interface and behavior works correctly. My cache implementation was faulty. I had a goroutine within the Cache.Get(...) that read from a DB to a channel, but unfortunately the outer func body did not wait for that channel and returns always a CacheMissed error. After the fix everything works fine. My fault sry
answered Nov 21 '18 at 11:46
jamijami
175112
175112
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53337190%2facme-autocert-manager-ignores-valid-certificates-on-startup%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown