Bugfixes

ramondeklein · ramondeklein · commit 037d470db5ad · 2025-11-13T18:43:54.000+01:00
diff --git a/certs/certificate2.go b/certs/certificate2.go
@@ -67,20 +67,22 @@ func NewCertificate2(certFile, keyFile string) (*Certificate2, error) {
 	var wg sync.WaitGroup
 
 	var c Certificate2
+	var once sync.Once
 	c.close = func() {
-		c.close = nil // don't run multiple times
-		notify.Stop(ch)
-		cancel()
-		wg.Wait() // don't close channel before goroutine is done
-		close(ch)
-
-		c.lock.Lock()
-		subs := c.subscriptions
-		c.subscriptions = nil
-		c.lock.Unlock()
-		for _, sub := range subs {
-			close(sub)
-		}
+		once.Do(func() {
+			notify.Stop(ch)
+			cancel()
+			wg.Wait() // don't close channel before goroutine is done
+			close(ch)
+
+			c.lock.Lock()
+			subs := c.subscriptions
+			c.subscriptions = nil
+			c.lock.Unlock()
+			for _, sub := range subs {
+				close(sub)
+			}
+		})
 	}
 	c.Store(&cert)
 
@@ -98,10 +100,12 @@ func NewCertificate2(certFile, keyFile string) (*Certificate2, error) {
 			certPEMBlock, err := os.ReadFile(certFile)
 			if err != nil {
 				log.Printf("reloading certificate failed: %s", err)
+				continue
 			}
 			keyPEMBlock, err := os.ReadFile(keyFile)
 			if err != nil {
 				log.Printf("reloading key failed: %s", err)
+				continue
 			}
 			newCertHash := sha256.Sum256(certPEMBlock)
 			newKeyHash := sha256.Sum256(keyPEMBlock)
@@ -126,7 +130,11 @@ func NewCertificate2(certFile, keyFile string) (*Certificate2, error) {
 				subs := append([]chan *Certificate2{}, c.subscriptions...)
 				c.lock.Unlock()
 				for _, sub := range subs {
-					sub <- &c
+					select {
+					case sub <- &c:
+					default:
+						log.Printf("certificate update notification dropped: subscriber channel full")
+					}
 				}
 			}()
 		}
@@ -167,9 +175,7 @@ func (c *Certificate2) Subscribe(callback func(*Certificate2)) func() {
 
 // Close stops watching the certificate files and releases all resources.
 func (c *Certificate2) Close() {
-	if cl := c.close; cl != nil {
-		cl()
-	}
+	c.close()
 }
 
 func watchFile(ctx context.Context, path string, ch chan notify.EventInfo, wg *sync.WaitGroup) error {
diff --git a/certs/global_certs.go b/certs/global_certs.go
@@ -24,7 +24,7 @@ import (
 )
 
 var (
-	globalCerts     map[string]*Certificate2
+	globalCerts     map[string]*Certificate2 // once a certificate is loaded, we keep it here forever
 	globalCertsLock sync.Mutex
 )
 
@@ -55,7 +55,7 @@ func globalCertificate(certFile, keyFile string) (*Certificate2, error) {
 }
 
 // GetClientCertificate returns a function that returns the given
-// certificate/key pair for use in tls.Config.ClientCertificate.
+// certificate/key pair for use in tls.Config.GetClientCertificate.
 func GetClientCertificate(certFile, keyFile string) (func(*tls.CertificateRequestInfo) (*tls.Certificate, error), error) {
 	cert, err := globalCertificate(certFile, keyFile)
 	if err != nil {
diff --git a/certs/manager2.go b/certs/manager2.go
@@ -48,32 +48,38 @@ type Manager2 struct {
 // The manager is using internal synchronization and is safe for concurrent
 // use. Make sure to call Close when the manager is no longer needed.
 func NewManager2(loadCerts func() ([]*Certificate2, error)) (*Manager2, error) {
+	certUpdateCh := make(chan *Certificate2, 1)
+
 	// Load initial certificates
 	certs, err := loadCerts()
 	if err != nil {
 		return nil, err
 	}
 
+	// Subscribe to initial certificates
+	for _, cert := range certs {
+		// no need to store the close function, because
+		// certificates are closed when they are replaced
+		// and that will automatically close all subscriptions.
+		cert.Subscribe(func(updatedCert *Certificate2) {
+			certUpdateCh <- updatedCert
+		})
+	}
+
 	closeCh := make(chan struct{})
 
 	mgr := Manager2{
 		close: closeCh,
 	}
 	mgr.certs.Store(&certs)
 
-	certUpdateCh := make(chan *Certificate2, 1)
-
 	replaceCerts := func(newCerts []*Certificate2) {
 		oldCerts := mgr.certs.Swap(&newCerts)
 		for i := range *oldCerts {
 			(*oldCerts)[i].Close()
 		}
 
-		// Subscribe to new certificates
 		for _, cert := range newCerts {
-			// no need to store the close function, because
-			// certificates are closed when they are replaced
-			// and that will automatically close all subscriptions.
 			cert.Subscribe(func(updatedCert *Certificate2) {
 				certUpdateCh <- updatedCert
 			})
@@ -106,7 +112,11 @@ func NewManager2(loadCerts func() ([]*Certificate2, error)) (*Manager2, error) {
 				subs := append([]chan *Certificate2{}, mgr.subscriptions...)
 				mgr.subscriptionLock.Unlock()
 				for _, sub := range subs {
-					sub <- cert
+					select {
+					case sub <- cert:
+					default:
+						log.Printf("certificate update notification dropped: subscriber channel full")
+					}
 				}
 			case <-signalCh:
 				certs, err := loadCerts()

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ import (`
`24`	`24`	`)`
`25`	`25`
`26`	`26`	`var (`
`27`		`- globalCerts map[string]*Certificate2`
	`27`	`+ globalCerts map[string]*Certificate2 // once a certificate is loaded, we keep it here forever`
`28`	`28`	`globalCertsLock sync.Mutex`
`29`	`29`	`)`
`30`	`30`
`@@ -55,7 +55,7 @@ func globalCertificate(certFile, keyFile string) (*Certificate2, error) {`
`55`	`55`	`}`
`56`	`56`
`57`	`57`	`// GetClientCertificate returns a function that returns the given`
`58`		`-// certificate/key pair for use in tls.Config.ClientCertificate.`
	`58`	`+// certificate/key pair for use in tls.Config.GetClientCertificate.`
`59`	`59`	`func GetClientCertificate(certFile, keyFile string) (func(tls.CertificateRequestInfo) (tls.Certificate, error), error) {`
`60`	`60`	`cert, err := globalCertificate(certFile, keyFile)`
`61`	`61`	`if err != nil {`