Add a few tests to exercise OCSP stapling, using an httptest.Server
acting as the OCSP responder.
These tests are very simplistic:
- a "good" OCSP response should be stapled
- a "revoked" OCSP response should not be stapled
- the DisableStapling option should be honored
- OCSP stapling requires an issuing certificate
No attempt is made to provide sensible timestamps, either in the test
certificates or in the OCSP responses.
This brings unit test coverage for ocsp.go from 21% to 70%.
Cleaning storage now obtains a lock, and it can optionally be configured
to only happen once per interval.
This should help lower costs for expensive storage backends
that are used by clusters of CertMagic/Caddy instances.
* Optionally pass the context argument down to the OnDemand decision func
* Remove the "compatibility shims"
This "breaks" the API here, but the change should be trivially obvious to an implementor
and it gives a lot less headache later.
A recent change passed in ClientHello into loadCertFromStorage.
Then it used hello.ServerName directly, but this is empty
if the client connects via IP address.
Previously, we passed in the name from the ClientHello
which would be the SNI if set, or the conn IP.
We now use getNameFromClientHello() as we should.
Fixes https://github.com/caddyserver/caddy/issues/5758
The context available to `renewDynamicCertificate` comes from inside the TLS handshake, and as such
may be bounded by the lifespan of the connection. Passing this into a goroutine will lead to problems
when the connection ends (and the connection context gets canceled with it) but the goroutine is going
to do more I/O on that context.
Define an exported NoOCSPServerSpecified error, to make it easier to
distinguish the case that a certificate does not support OCSP (from
other OCSP stapling errors). Add a unit test exercising this behavior.
These are useful for advanced applications (like Caddy) which would
like to remove certificates from the
cache in a controlled way, and operate the
cache with new settings while running.
* Fix advanced cache initialization in README
As per the documentation of GetConfigForCert:
> The returned Config MUST be associated with the same Cache as the caller.
A valid Config cannot be constructed with &certmagic.Config{} as the certCache field is unexported.
The only way to construct a Config with a non-nil Cache is to use either NewDefault or New.
* Make it an error for GetConfigForCert to return Config w/ nil cache
This prevents an invalid Config from slipping through and causing a hard to
debug nil pointer dereference at some later point.
- Only load cert from storage (or manager) if allowed to do so (fix#174)
- Sync cert loading so storage isn't stampeded (fix#185)
- Update dependencies
* Update ci.yml
* Trigger CI
* Remove commented-out section
* Trigger CI
* Use go mod download
* Replace set-output
* Cleanup
* Archive code coverage result
* Better artifact name scheme
* Use implicit default of `cache-dependency-path`
* Update CI
* Update matrix to include 1.20