Fix an error where we'd constantly try to renew SSL certificates

Set the renewal timestamp on the initial certificate load.

Fix an error where we'd constantly try to renew SSL certificates
cc772fcb · ale · e678f2d6 · cc772fcb
Commit cc772fcb authored 4 years ago by ale
--- a/node/acme/manager.go
+++ b/node/acme/manager.go
@@ -80,6 +80,12 @@ func NewManager(ctx context.Context, cli *clientv3.Client, email, directoryURL s
 	// validation tokens on etcd.
 	acmeMgr := NewACME(email, directoryURL, newEtcdKeyStore(cli, keyPath), newEtcdTokenStore(cli))

+	m := &Manager{
+		ACME:  acmeMgr,
+		names: certNames,
+		cli:   cli,
+	}
+
 	// Try to fetch the existing certificate from etcd, or
 	// generate a self-signed one.
 	cert, rev, err := fetchCert(ctx, cli, certPath)
@@ -92,17 +98,9 @@ func NewManager(ctx context.Context, cli *clientv3.Client, email, directoryURL s
 			return nil, fmt.Errorf("failed to create self-signed certificate: %v", err)
 		}
 	}
-	tlsCert, err := cert.TLSCertificate()
-	if err != nil {
-		return nil, err
-	}

-	m := &Manager{
-		ACME:    acmeMgr,
-		names:   certNames,
-		cli:     cli,
-		cert:    cert,
-		tlsCert: tlsCert,
+	if err := m.setCert(cert); err != nil {
+		return nil, err
 	}

 	// Update m.cert using a watcher.
@@ -143,13 +141,15 @@ func (m *Manager) shouldRenew() bool {

 func (m *Manager) renewLoop(ctx context.Context) {
 	// Initial delay to stagger concurrent initialization.
-	time.Sleep(time.Duration(mrand.Intn(30)) * time.Second)
+	time.Sleep(time.Duration(mrand.Intn(300)) * time.Second)

 	for {
 		if m.shouldRenew() {
 			log.Printf("attempting to renew SSL certificate...")
 			if err := m.renew(ctx); err != nil {
 				log.Printf("renewal failed: %v", err)
+			} else {
+				log.Printf("successfully renewed SSL certificate")
 			}
 		}