Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/acme/autocert: Consider storing certificates as "*.pem" in DirCache #37354

Open
arp242 opened this issue Feb 21, 2020 · 3 comments
Open

x/crypto/acme/autocert: Consider storing certificates as "*.pem" in DirCache #37354

arp242 opened this issue Feb 21, 2020 · 3 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unreleased

Comments

@arp242
Copy link

arp242 commented Feb 21, 2020

I recently implemented autocert to generate certificates; it works quite well for me 👍

I did run in to one snag: the DirCache implementation stores the generated certificates as just the domain name; e.g. test.example.com, rather than test.example.com.pem.

I also use the generated certificates with an external TLS proxy (hitch), and loading the certificates like this isn't possible since it will errors out on non-certificate files like acme_account+key, which strikes me as reasonable behaviour on hitch's part.

If they would be stored as *.pem I could tell hitch to load only those files, which works.

I worked around this by wrapping the DirCache as below, but I think it might be reasonable to change the behaviour of DirCache to always do this?

// cache is like autocert.DirCache, but ensures that certificates end with .pem.
type cache struct{ dc autocert.DirCache }

func NewCache(dir string) cache { return cache{dc: autocert.DirCache(dir)} }

func (d cache) Get(ctx context.Context, key string) ([]byte, error) {
    if !strings.Contains(key, "+") {
        key += ".pem"
    }
    return d.dc.Get(ctx, key)
}

func (d cache) Delete(ctx context.Context, key string) error {
    if !strings.Contains(key, "+") {
        key += ".pem"
    }
    return d.dc.Delete(ctx, key)
}

func (d cache) Put(ctx context.Context, key string, data []byte) error {
    if !strings.Contains(key, "+") {
        key += ".pem"
    }
    return d.dc.Put(ctx, key, data)
}
@gopherbot gopherbot added this to the Unreleased milestone Feb 21, 2020
@toothrot toothrot added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Feb 21, 2020
@toothrot
Copy link
Contributor

/cc @bradfitz @x1ddos

@slrz
Copy link

slrz commented Feb 22, 2020

Given the existence of an easy workaround, I'd prefer to not change the behaviour of file name = host name.

@arp242
Copy link
Author

arp242 commented Feb 23, 2020

I wouldn't exactly call it "easy" @slrz. I mean, the code as such is easy enough to follow, but it took me a while and reading through the code to figure out that checking for + would be a reliable way to filter the non-certificate files, and it's kind of an internal detail of DirCache that may change in the future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
4 participants
@toothrot @arp242 @slrz @gopherbot