internal/autocert: re-use cert if renewing failed but cert not expired #1237
Conversation
|
Code Climate has analyzed commit 134e6f8 and detected 0 issues on this pull request. View more on Code Climate. |
Codecov Report
@@ Coverage Diff @@
## master #1237 +/- ##
========================================
- Coverage 61.6% 61.5% -0.2%
========================================
Files 102 102
Lines 7678 7678
========================================
- Hits 4735 4727 -8
- Misses 2547 2556 +9
+ Partials 396 395 -1
|
There was a problem hiding this comment.
For what it's worth, my bug wasn't while the service was running, pomerium kept running just fine even with the renewals failing.
The issue was once I restarted - everything would block behind cert reissuing, envoy wouldn't even start up (I brought up a local build and sh'ed into the container, ps showed only /bin/pomerium running, no envoy instance was even present).
internal/autocert/manager.go
Outdated
| return fmt.Errorf("autocert: failed to renew client certificate: %w", err) | ||
| } | ||
| if !expired { |
There was a problem hiding this comment.
Will this log even if cert successfully renews since you don't update expired after cm.RenewCert?
There was a problem hiding this comment.
Ah thanks, fair point 👍
By factor out obtain and renew certification process, return specific error for each process if failed to contact with letsencrypt server.
cuonglm
force-pushed
the
cuonglm/fix-renew-valid-cert
branch
from
6923502
to
134e6f8
Compare
Summary
If autocert failed to renew a valid cert, we should continue using that cert instead of aborting pomerium.
Related issues
Fixes #1232
Checklist: