diff options
| author | Andrew Lytvynov <awly@tailscale.com> | 2023-07-27 12:29:40 -0700 |
|---|---|---|
| committer | Denton Gentry <dgentry@tailscale.com> | 2023-07-27 15:23:11 -0700 |
| commit | b73e4ea37af1c6b7bbf83471ef5c691319a8a0e9 (patch) | |
| tree | 13d92d238ee2094c290da9c74bae8cebfa870a4f /ipn/localapi/cert.go | |
| parent | 2d3223f557924d408b5d67b80440d6fba264a0fd (diff) | |
| download | tailscale-release-branch/1.46.tar.xz tailscale-release-branch/1.46.zip | |
ipn/{ipnlocal,localapi}: actually renew certs before expiry (#8731)release-branch/1.46
While our `shouldStartDomainRenewal` check is correct, `getCertPEM`
would always bail if the existing cert is not expired. Add the same
`shouldStartDomainRenewal` check to `getCertPEM` to make it proceed with
renewal when existing certs are still valid but should be renewed.
The extra check is expensive (ARI request towards LetsEncrypt), so cache
the last check result for 1hr to not degrade `tailscale serve`
performance.
Also, asynchronous renewal is great for `tailscale serve` but confusing
for `tailscale cert`. Add an explicit flag to `GetCertPEM` to force a
synchronous renewal for `tailscale cert`.
Fixes #8725
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
(cherry picked from commit c1ecae13ab708cef90905085f87729974f6c339d)
Diffstat (limited to 'ipn/localapi/cert.go')
| -rw-r--r-- | ipn/localapi/cert.go | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/ipn/localapi/cert.go b/ipn/localapi/cert.go index 447c3bc3c..e1704cb49 100644 --- a/ipn/localapi/cert.go +++ b/ipn/localapi/cert.go @@ -23,7 +23,7 @@ func (h *Handler) serveCert(w http.ResponseWriter, r *http.Request) { http.Error(w, "internal handler config wired wrong", 500) return } - pair, err := h.b.GetCertPEM(r.Context(), domain) + pair, err := h.b.GetCertPEM(r.Context(), domain, true) if err != nil { // TODO(bradfitz): 500 is a little lazy here. The errors returned from // GetCertPEM (and everywhere) should carry info info to get whether |