From 87e79da16a47738b33123f7a37a97edd3532c9c0 Mon Sep 17 00:00:00 2001
From: wenzong <ahngzwz_it@live.com>
Date: Sat, 19 Sep 2020 13:09:59 +0800
Subject: [PATCH] Move ocsp_response_cache:delete after certificate_data:set

---
 rootfs/etc/nginx/lua/configuration.lua | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/rootfs/etc/nginx/lua/configuration.lua b/rootfs/etc/nginx/lua/configuration.lua
index 4ab894e2cb8..b919e11eba4 100644
--- a/rootfs/etc/nginx/lua/configuration.lua
+++ b/rootfs/etc/nginx/lua/configuration.lua
@@ -101,13 +101,19 @@ local function handle_servers()
   end
 
   for uid, cert in pairs(configuration.certificates) do
+    -- don't delete the cache here, certificate_data[uid] is not replaced yet.
+    -- there is small chance that nginx worker still get the old certificate,
+    -- then fetch and cache the old OCSP Response
     local old_cert = certificate_data:get(uid)
-    if old_cert ~= nil and old_cert ~= cert then
-        ocsp_response_cache:delete(uid)
-    end
+    local is_renew = (old_cert ~= nil and old_cert ~= cert)
 
     local success, set_err, forcible = certificate_data:set(uid, cert)
-    if not success then
+    if success then
+        -- delete ocsp cache after certificate_data:set succeed
+        if is_renew then
+            ocsp_response_cache:delete(uid)
+        end
+    else
       local err_msg = string.format("error setting certificate for %s: %s\n",
         uid, tostring(set_err))
       table.insert(err_buf, err_msg)