New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
internal/autocert: re-use cert if renewing failed but cert not expired #1237
Conversation
Code Climate has analyzed commit 134e6f8 and detected 0 issues on this pull request. View more on Code Climate. |
Codecov Report
@@ Coverage Diff @@
## master #1237 +/- ##
========================================
- Coverage 61.6% 61.5% -0.2%
========================================
Files 102 102
Lines 7678 7678
========================================
- Hits 4735 4727 -8
- Misses 2547 2556 +9
+ Partials 396 395 -1
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For what it's worth, my bug wasn't while the service was running, pomerium kept running just fine even with the renewals failing.
The issue was once I restarted - everything would block behind cert reissuing, envoy wouldn't even start up (I brought up a local build and sh'ed into the container, ps showed only /bin/pomerium running, no envoy instance was even present).
internal/autocert/manager.go
Outdated
return fmt.Errorf("autocert: failed to renew client certificate: %w", err) | ||
} | ||
if !expired { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this log even if cert successfully renews since you don't update expired after cm.RenewCert?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah thanks, fair point 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
By factor out obtain and renew certification process, return specific error for each process if failed to contact with letsencrypt server.
6923502
to
134e6f8
Compare
Summary
If autocert failed to renew a valid cert, we should continue using that cert instead of aborting pomerium.
Related issues
Fixes #1232
Checklist: