(ctx context.Context, oldCert Certificate, cfg *Config)
| 227 | } |
| 228 | |
| 229 | func (certCache *Cache) queueRenewalTask(ctx context.Context, oldCert Certificate, cfg *Config) error { |
| 230 | log := certCache.logger.Named("maintenance") |
| 231 | |
| 232 | timeLeft := expiresAt(oldCert.Leaf).Sub(time.Now().UTC()) |
| 233 | log.Info("certificate expires soon; queuing for renewal", |
| 234 | zap.Strings("identifiers", oldCert.Names), |
| 235 | zap.Duration("remaining", timeLeft)) |
| 236 | |
| 237 | // Get the name which we should use to renew this certificate; |
| 238 | // we only support managing certificates with one name per cert, |
| 239 | // so this should be easy. |
| 240 | renewName := oldCert.Names[0] |
| 241 | |
| 242 | // queue up this renewal job (is a no-op if already active or queued) |
| 243 | jm.Submit(cfg.Logger, "renew_"+renewName, func() error { |
| 244 | timeLeft := expiresAt(oldCert.Leaf).Sub(time.Now().UTC()) |
| 245 | log.Info("attempting certificate renewal", |
| 246 | zap.Strings("identifiers", oldCert.Names), |
| 247 | zap.Duration("remaining", timeLeft)) |
| 248 | |
| 249 | // perform renewal - crucially, this happens OUTSIDE a lock on certCache |
| 250 | err := cfg.RenewCertAsync(ctx, renewName, false) |
| 251 | if err != nil { |
| 252 | if cfg.OnDemand != nil { |
| 253 | // loaded dynamically, remove dynamically |
| 254 | certCache.mu.Lock() |
| 255 | certCache.removeCertificate(oldCert) |
| 256 | certCache.mu.Unlock() |
| 257 | } |
| 258 | return fmt.Errorf("%v %v", oldCert.Names, err) |
| 259 | } |
| 260 | |
| 261 | // successful renewal, so update in-memory cache by loading |
| 262 | // renewed certificate so it will be used with handshakes |
| 263 | _, err = cfg.reloadManagedCertificate(ctx, oldCert) |
| 264 | if err != nil { |
| 265 | return ErrNoRetry{fmt.Errorf("%v %v", oldCert.Names, err)} |
| 266 | } |
| 267 | return nil |
| 268 | }) |
| 269 | |
| 270 | return nil |
| 271 | } |
| 272 | |
| 273 | // updateOCSPStaples updates the OCSP stapling in all |
| 274 | // eligible, cached certificates. |
no test coverage detected