cmd/derper: provide support for forcing autocert renewalsbradfitz/autocert_force

Change-Id: I127a803144ec5ca989823610f1bbd21dc5cfadba Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
author: Brad Fitzpatrick <bradfitz@tailscale.com> 2022-01-26 12:16:02 -0800
committer: Brad Fitzpatrick <bradfitz@tailscale.com> 2022-01-26 12:16:02 -0800
commit: b1cf0a04d6d1ca494ec3774dac48037b8abe792e (patch)
tree: 8dfed16705e944257c9bfcced90a396f2ef1d683
parent: 1af26222b66344bce584887d59e640bf0a091573 (diff)
download: tailscale-bradfitz/autocert_force.tar.xz
tailscale-bradfitz/autocert_force.zip
1 files changed, 29 insertions, 0 deletions
diff --git a/cmd/derper/cert.go b/cmd/derper/cert.go
index 972540397..233371f67 100644
--- a/cmd/derper/cert.go
+++ b/cmd/derper/cert.go
@@ -10,8 +10,11 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"os"
 	"path/filepath"
 	"regexp"
+	"strings"
+	"time"
 
 	"golang.org/x/crypto/acme/autocert"
 )
@@ -39,6 +42,24 @@ func certProviderByCertMode(mode, dir, hostname string) (certProvider, error) {
 		if hostname == "derp.tailscale.com" {
 			certManager.HostPolicy = prodAutocertHostPolicy
 			certManager.Email = "security@tailscale.com"
+			if v, err := os.ReadFile("/home/derp/forcerenew.secret"); err == nil {
+				proto := strings.TrimSpace(string(v))
+				am2 := *certManager
+				am2.RenewBefore = 89 * 24 * time.Hour
+				defGetCertificate := certManager.TLSConfig().GetCertificate
+				tlsConf2 := am2.TLSConfig()
+				getCertificate := func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
+					for _, p := range hi.SupportedProtos {
+						if p == proto {
+							return tlsConf2.GetCertificate(hi)
+						}
+					}
+					return defGetCertificate(hi)
+				}
+				altConf := certManager.TLSConfig()
+				altConf.GetCertificate = getCertificate
+				return altConfig{certManager, altConf}, nil
+			}
 		}
 		return certManager, nil
 	case "manual":
@@ -48,6 +69,14 @@ func certProviderByCertMode(mode, dir, hostname string) (certProvider, error) {
 	}
 }
 
+// altConfig is a certProvider wrapper that returns an explicit tls.Config.
+type altConfig struct {
+	certProvider
+	tlsConfig *tls.Config
+}
+
+func (ac altConfig) TLSConfig() *tls.Config { return ac.tlsConfig }
+
 type manualCertManager struct {
 	cert     *tls.Certificate
 	hostname string
author	Brad Fitzpatrick <bradfitz@tailscale.com>	2022-01-26 12:16:02 -0800
committer	Brad Fitzpatrick <bradfitz@tailscale.com>	2022-01-26 12:16:02 -0800
commit	b1cf0a04d6d1ca494ec3774dac48037b8abe792e (patch)
tree	8dfed16705e944257c9bfcced90a396f2ef1d683
parent	1af26222b66344bce584887d59e640bf0a091573 (diff)
download	tailscale-bradfitz/autocert_force.tar.xz tailscale-bradfitz/autocert_force.zip