caddytls: Regularly reload static certificates

pascalgn · pascalgn · commit 3cae55bc4c1d · 2026-03-03T09:32:15.000+01:00
diff --git a/modules/caddyhttp/reverseproxy/httptransport_test.go b/modules/caddyhttp/reverseproxy/httptransport_test.go
@@ -129,11 +129,11 @@ func TestHTTPTransport_DialTLSContext_ProxyProtocol(t *testing.T) {
 	defer cancel()
 
 	tests := []struct {
-		name                    string
-		tls                     *TLSConfig
-		proxyProtocol           string
+		name                     string
+		tls                      *TLSConfig
+		proxyProtocol            string
 		serverNameHasPlaceholder bool
-		expectDialTLSContext    bool
+		expectDialTLSContext     bool
 	}{
 		{
 			name:                 "no TLS, no proxy protocol",
@@ -194,4 +194,3 @@ func TestHTTPTransport_DialTLSContext_ProxyProtocol(t *testing.T) {
 		})
 	}
 }
-
diff --git a/modules/caddytls/storageloader.go b/modules/caddytls/storageloader.go
@@ -72,17 +72,16 @@ func (sl *StorageLoader) Provision(ctx caddy.Context) error {
 	return nil
 }
 
-// LoadCertificates returns the certificates to be loaded by sl.
-func (sl StorageLoader) LoadCertificates() ([]Certificate, error) {
+func (sl StorageLoader) Initialize(updateCertificates func(add []Certificate, remove []string) error) error {
 	certs := make([]Certificate, 0, len(sl.Pairs))
 	for _, pair := range sl.Pairs {
 		certData, err := sl.storage.Load(sl.ctx, pair.Certificate)
 		if err != nil {
-			return nil, err
+			return err
 		}
 		keyData, err := sl.storage.Load(sl.ctx, pair.Key)
 		if err != nil {
-			return nil, err
+			return err
 		}
 
 		var cert tls.Certificate
@@ -94,21 +93,21 @@ func (sl StorageLoader) LoadCertificates() ([]Certificate, error) {
 			// if the start of the key file looks like an encrypted private key,
 			// reject it with a helpful error message
 			if strings.Contains(string(keyData[:40]), "ENCRYPTED") {
-				return nil, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")
+				return fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")
 			}
 
 			cert, err = tls.X509KeyPair(certData, keyData)
 
 		default:
-			return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format)
+			return fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format)
 		}
 		if err != nil {
-			return nil, err
+			return err
 		}
 
 		certs = append(certs, Certificate{Certificate: cert, Tags: pair.Tags})
 	}
-	return certs, nil
+	return updateCertificates(certs, []string{})
 }
 
 // Interface guard
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
@@ -131,14 +131,14 @@ type TLS struct {
 	// EXPERIMENTAL: Subject to change.
 	Resolvers []string `json:"resolvers,omitempty"`
 
-	dns                any // technically, it should be any/all of the libdns interfaces (RecordSetter, RecordAppender, etc.)
-	certificateLoaders []CertificateLoader
-	automateNames      map[string]struct{}
-	ctx                caddy.Context
-	storageCleanTicker *time.Ticker
-	storageCleanStop   chan struct{}
-	logger             *zap.Logger
-	events             *caddyevents.App
+	dns                  any // technically, it should be any/all of the libdns interfaces (RecordSetter, RecordAppender, etc.)
+	certificateLoaders   []CertificateLoader
+	automateNames        map[string]struct{}
+	ctx                  caddy.Context
+	storageCleanTicker   *time.Ticker
+	storageCleanStop     chan struct{}
+	logger               *zap.Logger
+	events               *caddyevents.App
 	magic                *certmagic.Config
 	unmanagedCertsTicker *time.Ticker
 
@@ -251,7 +251,7 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 	// certificates have been manually loaded, and also so that
 	// commands like validate can be a better test
 	certCacheMu.RLock()
-	t.magic = certmagic.New(certCache, certmagic.Config{
+	magic := certmagic.New(certCache, certmagic.Config{
 		Storage: ctx.Storage(),
 		Logger:  t.logger,
 		OnEvent: t.onEvent,
@@ -262,13 +262,13 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 	})
 	certCacheMu.RUnlock()
 
-	unmanaged, err := t.loadUnmanagedCertificates(ctx)
-	if err != nil {
-		return err
-	}
-
-	if unmanaged > 0 {
-		t.regularlyReloadUnmanagedCertificates()
+	for _, loader := range t.certificateLoaders {
+		err := loader.Initialize(func(add []Certificate, remove []string) error {
+			return t.updateCertificates(ctx, magic, add, remove)
+		})
+		if err != nil {
+			return fmt.Errorf("loading certificates: %v", err)
+		}
 	}
 
 	// on-demand permission module
@@ -811,58 +811,17 @@ func (t *TLS) HasCertificateForSubject(subject string) bool {
 	return false
 }
 
-func (t *TLS) loadUnmanagedCertificates(ctx caddy.Context) (int, error) {
-	cached := 0
-	for _, loader := range t.certificateLoaders {
-		certs, err := loader.LoadCertificates()
-		if err != nil {
-			return 0, fmt.Errorf("loading certificates: %v", err)
-		}
-		for _, cert := range certs {
-			hash, err := t.magic.CacheUnmanagedTLSCertificate(ctx, cert.Certificate, cert.Tags)
-			if err != nil {
-				return 0, fmt.Errorf("caching unmanaged certificate: %v", err)
-			}
-			t.loaded[hash] = ""
-		}
-	}
-	return cached, nil
-}
-
-func (t *TLS) regularlyReloadUnmanagedCertificates() {
-	t.unmanagedCertsTicker = time.NewTicker(2 * time.Hour)
-	go func() {
-		defer func() {
-			if err := recover(); err != nil {
-				log.Printf("[PANIC] unmanaged certificates reloader: %v\n%s", err, debug.Stack())
-			}
-		}()
-		t.reloadUnmanagedCertificates()
-		for {
-			select {
-			case <-t.storageCleanStop:
-				return
-			case <-t.storageCleanTicker.C:
-				t.cleanStorageUnits()
-			}
-		}
-	}()
-}
-
-func (t *TLS) reloadUnmanagedCertificates() error {
-	for _, loader := range t.certificateLoaders {
-		certs, err := loader.LoadCertificates()
+func (t *TLS) updateCertificates(ctx caddy.Context, magic *certmagic.Config, add []Certificate, remove []string) error {
+	for _, cert := range add {
+		hash, err := magic.CacheUnmanagedTLSCertificate(ctx, cert.Certificate, cert.Tags)
 		if err != nil {
-			return fmt.Errorf("loading certificates: %v", err)
-		}
-		for _, cert := range certs {
-			hash, err := t.magic.CacheUnmanagedTLSCertificate(t.ctx, cert.Certificate, cert.Tags)
-			if err != nil {
-				return fmt.Errorf("caching unmanaged certificate: %v", err)
-			}
-			t.loaded[hash] = ""
+			return fmt.Errorf("caching unmanaged certificate: %v", err)
 		}
+		t.loaded[hash] = ""
 	}
+	certCacheMu.Lock()
+	certCache.Remove(remove)
+	certCacheMu.Unlock()
 	return nil
 }
 
@@ -971,7 +930,7 @@ func (t *TLS) onEvent(ctx context.Context, eventName string, data map[string]any
 // CertificateLoader is a type that can load certificates.
 // Certificates can optionally be associated with tags.
 type CertificateLoader interface {
-	LoadCertificates() ([]Certificate, error)
+	Initialize(updateCertificates func(add []Certificate, remove []string) error) error
 }
 
 // Certificate is a TLS certificate, optionally

Original file line number	Diff line number	Diff line change
`@@ -129,11 +129,11 @@ func TestHTTPTransport_DialTLSContext_ProxyProtocol(t *testing.T) {`
`129`	`129`	`defer cancel()`
`130`	`130`
`131`	`131`	`tests := []struct {`
`132`		`- name string`
`133`		`- tls *TLSConfig`
`134`		`- proxyProtocol string`
	`132`	`+ name string`
	`133`	`+ tls *TLSConfig`
	`134`	`+ proxyProtocol string`
`135`	`135`	`serverNameHasPlaceholder bool`
`136`		`- expectDialTLSContext bool`
	`136`	`+ expectDialTLSContext bool`
`137`	`137`	`}{`
`138`	`138`	`{`
`139`	`139`	`name: "no TLS, no proxy protocol",`
`@@ -194,4 +194,3 @@ func TestHTTPTransport_DialTLSContext_ProxyProtocol(t *testing.T) {`
`194`	`194`	`})`
`195`	`195`	`}`
`196`	`196`	`}`
`197`		`-`
Original file line number	Diff line number	Diff line change
`@@ -72,17 +72,16 @@ func (sl *StorageLoader) Provision(ctx caddy.Context) error {`
`72`	`72`	`return nil`
`73`	`73`	`}`
`74`	`74`
`75`		`-// LoadCertificates returns the certificates to be loaded by sl.`
`76`		`-func (sl StorageLoader) LoadCertificates() ([]Certificate, error) {`
	`75`	`+func (sl StorageLoader) Initialize(updateCertificates func(add []Certificate, remove []string) error) error {`
`77`	`76`	`certs := make([]Certificate, 0, len(sl.Pairs))`
`78`	`77`	`for _, pair := range sl.Pairs {`
`79`	`78`	`certData, err := sl.storage.Load(sl.ctx, pair.Certificate)`
`80`	`79`	`if err != nil {`
`81`		`- return nil, err`
	`80`	`+ return err`
`82`	`81`	`}`
`83`	`82`	`keyData, err := sl.storage.Load(sl.ctx, pair.Key)`
`84`	`83`	`if err != nil {`
`85`		`- return nil, err`
	`84`	`+ return err`
`86`	`85`	`}`
`87`	`86`
`88`	`87`	`var cert tls.Certificate`
`@@ -94,21 +93,21 @@ func (sl StorageLoader) LoadCertificates() ([]Certificate, error) {`
`94`	`93`	`// if the start of the key file looks like an encrypted private key,`
`95`	`94`	`// reject it with a helpful error message`
`96`	`95`	`if strings.Contains(string(keyData[:40]), "ENCRYPTED") {`
`97`		`- return nil, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")`
	`96`	`+ return fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")`
`98`	`97`	`}`
`99`	`98`
`100`	`99`	`cert, err = tls.X509KeyPair(certData, keyData)`
`101`	`100`
`102`	`101`	`default:`
`103`		`- return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format)`
	`102`	`+ return fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format)`
`104`	`103`	`}`
`105`	`104`	`if err != nil {`
`106`		`- return nil, err`
	`105`	`+ return err`
`107`	`106`	`}`
`108`	`107`
`109`	`108`	`certs = append(certs, Certificate{Certificate: cert, Tags: pair.Tags})`
`110`	`109`	`}`
`111`		`- return certs, nil`
	`110`	`+ return updateCertificates(certs, []string{})`
`112`	`111`	`}`
`113`	`112`
`114`	`113`	`// Interface guard`