diff options
| author | Quentin Dufour <quentin@deuxfleurs.fr> | 2023-11-30 15:35:32 +0100 |
|---|---|---|
| committer | Quentin Dufour <quentin@deuxfleurs.fr> | 2023-11-30 15:35:32 +0100 |
| commit | ca449ebff452345229953b6ba406acefb157385b (patch) | |
| tree | d3abd6e48efc8c3f71a1d95a2bbea35f5fa0608e | |
| parent | b04c2bfb0a5776ddcf8c0bab23dd1f800e3a0df3 (diff) | |
| download | tricot-ca449ebff452345229953b6ba406acefb157385b.tar.gz tricot-ca449ebff452345229953b6ba406acefb157385b.zip | |
some comments
| -rw-r--r-- | src/cert_store.rs | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/src/cert_store.rs b/src/cert_store.rs index 0ced178..e25395d 100644 --- a/src/cert_store.rs +++ b/src/cert_store.rs @@ -70,6 +70,9 @@ impl CertStore { loop { let mut domains: HashSet<String> = HashSet::new(); + // Collect domains that need a TLS certificate + // either from the proxy configuration (eagerly) + // or on reaction to a user request (lazily) select! { res = rx_proxy_config.changed() => { if res.is_err() { @@ -78,6 +81,8 @@ impl CertStore { let proxy_config: Arc<ProxyConfig> = rx_proxy_config.borrow().clone(); for ent in proxy_config.entries.iter() { + // Eagerly generate certificates for domains that + // are not patterns if let HostDescription::Hostname(domain) = &ent.url_prefix.host { if let Some((host, _port)) = domain.split_once(':') { domains.insert(host.to_string()); @@ -85,6 +90,9 @@ impl CertStore { domains.insert(domain.clone()); } } + + // @TODO Register a map of + // UrlPrefix -> OnDemandTlsAskCheckUrl } } need_cert = rx_need_cert.recv() => { @@ -100,12 +108,17 @@ impl CertStore { } } + // Now that we have our list of domains to check, + // actually do something for dom in domains.iter() { + // Exclude from the list domains that were checked less than 60 + // seconds ago match t_last_check.get(dom) { Some(t) if Instant::now() - *t < Duration::from_secs(60) => continue, _ => t_last_check.insert(dom.to_string(), Instant::now()), }; + // Actual Let's Encrypt calls are done here (in sister function) debug!("Checking cert for domain: {}", dom); if let Err(e) = self.check_cert(dom).await { warn!("({}) Could not get certificate: {}", dom, e); @@ -186,6 +199,15 @@ impl CertStore { Ok(()) } + /// Check certificate ensure that the certificate is in the memory store + /// and that it does not need to be renewed. + /// + /// If it's not in the memory store, it tries to load it from Consul, + /// if it's not in Consul, it calls Let's Encrypt. + /// + /// If the certificate is outdated in the memory store, it tries to load + /// a more recent version in Consul, if the Consul version is also outdated, + /// it tries to renew it pub async fn check_cert(self: &Arc<Self>, domain: &str) -> Result<()> { // First, try locally. { @@ -226,6 +248,7 @@ impl CertStore { self.renew_cert(domain).await } + /// This is the place where certificates are generated or renewed pub async fn renew_cert(self: &Arc<Self>, domain: &str) -> Result<()> { info!("({}) Renewing certificate", domain); |