Skip to content

Implement persistent certificate storage with reuse for self-signed SSL#6

Merged
warkanum merged 5 commits intoserverfrom
copilot/sub-pr-5
Dec 30, 2025
Merged

Implement persistent certificate storage with reuse for self-signed SSL#6
warkanum merged 5 commits intoserverfrom
copilot/sub-pr-5

Conversation

Copy link
Contributor

Copilot AI commented Dec 30, 2025
edited
Loading

Self-signed SSL certificates are now stored persistently and reused across server restarts, eliminating the need for cleanup and improving performance.

Changes

  • Persistent certificate storage: Certificates are stored in {UserCacheDir}/resolvespec/certs/ with consistent naming based on hostname
  • Certificate reuse logic: System checks for existing valid certificates before generating new ones
  • Expiration handling: Certificates are validated and regenerated if expired or expiring within 30 days
  • Security improvements: Added hostname sanitization to prevent path traversal vulnerabilities and mutex protection to prevent race conditions during concurrent certificate generation
  • Test coverage: Added TestSelfSignedSSLCertificateReuse to verify certificate reuse functionality

Implementation

Certificates are stored with consistent naming and reused when valid:

// tls.go
func configureTLS(cfg Config) (*tls.Config, string, string, error) {
    // ...
    // Check for existing valid certificates
    certFile := filepath.Join(certDir, fmt.Sprintf("%s-cert.pem", safeHost))
    keyFile := filepath.Join(certDir, fmt.Sprintf("%s-key.pem", safeHost))
    
    // If valid certificates exist, reuse them
    if isCertificateValid(certFile) {
        if _, err := os.Stat(keyFile); err == nil {
            return tlsConfig, certFile, keyFile, nil
        }
    }
    
    // Generate new certificates only when needed
    certPEM, keyPEM, err := generateSelfSignedCert(host)
    // ... save to persistent files
}

Only self-signed SSL certificates use persistent storage; user-provided certs and AutoTLS are unaffected.

Benefits

  • No resource leaks: Certificates persist across server restarts
  • Better performance: Reuses existing valid certificates instead of regenerating
  • Simpler lifecycle: No cleanup required on shutdown
  • Consistent storage: All certificates stored in a well-defined location

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI mentioned this pull request Dec 30, 2025
Merged
Copilot AI and others added 2 commits December 30, 2025 11:00
@warkanum
Implement cleanup for temporary certificate directories
267e84f 
Co-authored-by: warkanum <208308+warkanum@users.noreply.github.com>
@warkanum
Final verification and cleanup
64f5632 
Co-authored-by: warkanum <208308+warkanum@users.noreply.github.com>
Copilot AI changed the title [WIP] Address feedback on Server Manager implementation Fix resource leak in self-signed SSL certificate cleanup Dec 30, 2025
Copilot AI requested a review from warkanum December 30, 2025 11:03
warkanum
warkanum requested changes Dec 30, 2025
View reviewed changes
pkg/server/manager.go Outdated

// Clean up temporary certificate directory if it exists
if s.tempCertDir != "" {
if cleanupErr := os.RemoveAll(s.tempCertDir); cleanupErr != nil {
Copy link
Member

@warkanum warkanum Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot We don't need to clean up. We also need to insure to always generate certificates with the same name as to override the old ones. However, if the certificates exists, use them if they are not expired.

Copy link
Contributor Author

Copilot AI Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed the approach in commit 4f8edd6. Certificates are now stored persistently in {UserCacheDir}/resolvespec/certs/ with consistent naming based on hostname. The system checks for existing certificates and reuses them if valid (not expired, not expiring within 30 days). New certificates are only generated when needed, overwriting any old ones.

pkg/server/manager_test.go Outdated
assert.True(t, executed, "Shutdown callback should have been executed")
}

func TestSelfSignedSSLCleanup(t *testing.T) {
Copy link
Member

@warkanum warkanum Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot Remove this test

Copy link
Contributor Author

Copilot AI Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed TestSelfSignedSSLCleanup in commit ccf8522 and added TestSelfSignedSSLCertificateReuse to verify the new certificate reuse functionality works correctly.

Copilot AI and others added 2 commits December 30, 2025 11:12
@warkanum
Refactor: Use persistent cert storage with reuse logic
ccf8522 
Co-authored-by: warkanum <208308+warkanum@users.noreply.github.com>
@warkanum
Add security improvements and race condition protection
4f8edd6 
Co-authored-by: warkanum <208308+warkanum@users.noreply.github.com>
Copilot AI changed the title Fix resource leak in self-signed SSL certificate cleanup Implement persistent certificate storage with reuse for self-signed SSL Dec 30, 2025
Copilot AI requested a review from warkanum December 30, 2025 11:17
@warkanum warkanum marked this pull request as ready for review December 30, 2025 11:27
@warkanum warkanum merged commit 16d4160 into server Dec 30, 2025
@warkanum warkanum deleted the copilot/sub-pr-5 branch December 30, 2025 11:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@warkanum warkanum warkanum approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@warkanum warkanum

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@warkanum