Add config option to disable ARI
This may be temporary until ARI is more mature
This commit is contained in:
parent
1a2275d54c
commit
5ee48a3108
@ -461,7 +461,7 @@ func (am *ACMEIssuer) doIssue(ctx context.Context, csr *x509.CertificateRequest,
|
||||
// between client and server or some sort of bookkeeping error with regards to the certID
|
||||
// and the server is rejecting the ARI certID. In any case, an invalid certID may cause
|
||||
// orders to fail. So try once without setting it.
|
||||
if !usingTestCA && attempts != 2 {
|
||||
if !am.config.DisableARI && !usingTestCA && attempts != 2 {
|
||||
if replacing, ok := ctx.Value(ctxKeyARIReplaces).(*x509.Certificate); ok {
|
||||
params.Replaces = replacing
|
||||
}
|
||||
|
@ -103,6 +103,7 @@ func (cfg *Config) certNeedsRenewal(leaf *x509.Certificate, ari acme.RenewalInfo
|
||||
logger = zap.NewNop()
|
||||
}
|
||||
|
||||
if !cfg.DisableARI {
|
||||
// first check ARI: if it says it's time to renew, it's time to renew
|
||||
// (notice that we don't strictly require an ARI window to also exist; we presume
|
||||
// that if a time has been selected, a window does or did exist, even if it didn't
|
||||
@ -149,7 +150,7 @@ func (cfg *Config) certNeedsRenewal(leaf *x509.Certificate, ari acme.RenewalInfo
|
||||
zap.Time("renewal_cutoff", cutoff))
|
||||
return true
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
// the normal check, in the absence of ARI, is to determine if we're near enough (or past)
|
||||
|
12
config.go
12
config.go
@ -149,6 +149,10 @@ type Config struct {
|
||||
// EXPERIMENTAL: Subject to change or removal.
|
||||
SubjectTransformer func(ctx context.Context, domain string) string
|
||||
|
||||
// Disables both ARI fetching and the use of ARI for renewal decisions.
|
||||
// TEMPORARY: Will likely be removed in the future.
|
||||
DisableARI bool
|
||||
|
||||
// Set a logger to enable logging. If not set,
|
||||
// a default logger will be created.
|
||||
Logger *zap.Logger
|
||||
@ -451,7 +455,7 @@ func (cfg *Config) manageOne(ctx context.Context, domainName string, async bool)
|
||||
|
||||
// ensure ARI is updated before we check whether the cert needs renewing
|
||||
// (we ignore the second return value because we already check if needs renewing anyway)
|
||||
if cert.ari.NeedsRefresh() {
|
||||
if !cfg.DisableARI && cert.ari.NeedsRefresh() {
|
||||
cert, _, err = cfg.updateARI(ctx, cert, cfg.Logger)
|
||||
if err != nil {
|
||||
cfg.Logger.Error("updating ARI upon managing", zap.Error(err))
|
||||
@ -888,7 +892,8 @@ func (cfg *Config) renewCert(ctx context.Context, name string, force, interactiv
|
||||
// if we're renewing with the same ACME CA as before, have the ACME
|
||||
// client tell the server we are replacing a certificate (but doing
|
||||
// this on the wrong CA, or when the CA doesn't recognize the certID,
|
||||
// can fail the order)
|
||||
// can fail the order) -- TODO: change this check to whether we're using the same ACME account, not CA
|
||||
if !cfg.DisableARI {
|
||||
if acmeData, err := certRes.getACMEData(); err == nil && acmeData.CA != "" {
|
||||
if acmeIss, ok := issuer.(*ACMEIssuer); ok {
|
||||
if acmeIss.CA == acmeData.CA {
|
||||
@ -896,6 +901,7 @@ func (cfg *Config) renewCert(ctx context.Context, name string, force, interactiv
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
issuedCert, err = issuer.Issue(ctx, useCSR)
|
||||
if err == nil {
|
||||
@ -1246,9 +1252,11 @@ func (cfg *Config) managedCertNeedsRenewal(certRes CertificateResource, emitLogs
|
||||
return 0, nil, true
|
||||
}
|
||||
var ari acme.RenewalInfo
|
||||
if !cfg.DisableARI {
|
||||
if ariPtr, err := certRes.getARI(); err == nil && ariPtr != nil {
|
||||
ari = *ariPtr
|
||||
}
|
||||
}
|
||||
remaining := time.Until(expiresAt(certChain[0]))
|
||||
return remaining, certChain[0], cfg.certNeedsRenewal(certChain[0], ari, emitLogs)
|
||||
}
|
||||
|
@ -582,7 +582,7 @@ func (cfg *Config) handshakeMaintenance(ctx context.Context, hello *tls.ClientHe
|
||||
}
|
||||
|
||||
// Check ARI status
|
||||
if cert.ari.NeedsRefresh() {
|
||||
if !cfg.DisableARI && cert.ari.NeedsRefresh() {
|
||||
// we ignore the second return value here because we go on to check renewal status below regardless
|
||||
var err error
|
||||
cert, _, err = cfg.updateARI(ctx, cert, logger)
|
||||
|
@ -136,7 +136,7 @@ func (certCache *Cache) RenewManagedCertificates(ctx context.Context) error {
|
||||
}
|
||||
|
||||
// ACME-specific: see if if ACME Renewal Info (ARI) window needs refreshing
|
||||
if cert.ari.NeedsRefresh() {
|
||||
if !cfg.DisableARI && cert.ari.NeedsRefresh() {
|
||||
configs[cert.hash] = cfg
|
||||
ariQueue = append(ariQueue, cert)
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user