Manage acme cert in infinit channels

Signed-off-by: Emile Vauge <emile@vauge.com>
2016-12-09 14:37:39 +01:00 · 2016-12-09 14:37:39 +01:00 · a394e6a3e3
commit a394e6a3e3
parent 1a5f1977c4
4 changed files with 107 additions and 94 deletions
--- a/acme/acme.go
+++ b/acme/acme.go
@ -19,6 +19,7 @@ import (
 	"github.com/containous/traefik/log"
 	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/types"
 	"github.com/eapache/channels"
 	"github.com/xenolf/lego/acme"
 	"github.com/xenolf/lego/providers/dns"
 )
@ -46,6 +47,7 @@ type ACME struct {
 	store               cluster.Store
 	challengeProvider   *challengeProvider
 	checkOnDemandDomain func(domain string) bool
 	jobs                *channels.InfiniteChannel
 	TLSConfig           *tls.Config `description:"TLS config in case wildcard certs are used"`
 }
@ -107,6 +109,7 @@ func (a *ACME) init() error {
 		log.Warnf("ACME.StorageFile is deprecated, use ACME.Storage instead")
 		a.Storage = a.StorageFile
 	}
 	a.jobs = channels.NewInfiniteChannel()
 	return nil
 }
@ -159,9 +162,7 @@ func (a *ACME) CreateClusterConfig(leadership *cluster.Leadership, tlsConfig *tl
 			case <-ctx.Done():
 				return
 			case <-ticker.C:
-				if err := a.renewCertificates(); err != nil {
+				a.renewCertificates()
 					log.Errorf("Error renewing ACME certificate: %s", err.Error())
 				}
 			}
 		}
 	})
@ -222,12 +223,10 @@ func (a *ACME) CreateClusterConfig(leadership *cluster.Leadership, tlsConfig *tl
 			if err != nil {
 				return err
 			}
-			safe.Go(func() {
+
-				a.retrieveCertificates()
+			a.retrieveCertificates()
-				if err := a.renewCertificates(); err != nil {
+			a.renewCertificates()
-					log.Errorf("Error renewing ACME certificate %+v: %s", account, err.Error())
+			a.runJobs()
 				}
 			})
 		}
 		return nil
 	})
@ -312,19 +311,14 @@ func (a *ACME) CreateLocalConfig(tlsConfig *tls.Config, checkOnDemandDomain func
 		return err
 	}
-	safe.Go(func() {
+	a.retrieveCertificates()
-		a.retrieveCertificates()
+	a.renewCertificates()
-		if err := a.renewCertificates(); err != nil {
+	a.runJobs()
 			log.Errorf("Error renewing ACME certificate %+v: %s", account, err.Error())
 		}
 	})
 	ticker := time.NewTicker(24 * time.Hour)
 	safe.Go(func() {
 		for range ticker.C {
-			if err := a.renewCertificates(); err != nil {
+			a.renewCertificates()
 				log.Errorf("Error renewing ACME certificate %+v: %s", account, err.Error())
 			}
 		}
 	})
@ -361,83 +355,87 @@ func (a *ACME) getCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificat
 }
 func (a *ACME) retrieveCertificates() {
-	log.Infof("Retrieving ACME certificates...")
+	a.jobs.In() <- func() {
-	for _, domain := range a.Domains {
+		log.Infof("Retrieving ACME certificates...")
-		// check if cert isn't already loaded
+		for _, domain := range a.Domains {
-		account := a.store.Get().(*Account)
+			// check if cert isn't already loaded
-		if _, exists := account.DomainsCertificate.exists(domain); !exists {
+			account := a.store.Get().(*Account)
-			domains := []string{}
+			if _, exists := account.DomainsCertificate.exists(domain); !exists {
-			domains = append(domains, domain.Main)
+				domains := []string{}
-			domains = append(domains, domain.SANs...)
+				domains = append(domains, domain.Main)
-			certificateResource, err := a.getDomainsCertificates(domains)
+				domains = append(domains, domain.SANs...)
-			if err != nil {
+				certificateResource, err := a.getDomainsCertificates(domains)
-				log.Errorf("Error getting ACME certificate for domain %s: %s", domains, err.Error())
+				if err != nil {
-				continue
+					log.Errorf("Error getting ACME certificate for domain %s: %s", domains, err.Error())
-			}
+					continue
-			transaction, object, err := a.store.Begin()
+				}
-			if err != nil {
+				transaction, object, err := a.store.Begin()
-				log.Errorf("Error creating ACME store transaction from domain %s: %s", domain, err.Error())
+				if err != nil {
-				continue
+					log.Errorf("Error creating ACME store transaction from domain %s: %s", domain, err.Error())
-			}
+					continue
-			account = object.(*Account)
+				}
-			_, err = account.DomainsCertificate.addCertificateForDomains(certificateResource, domain)
+				account = object.(*Account)
-			if err != nil {
+				_, err = account.DomainsCertificate.addCertificateForDomains(certificateResource, domain)
-				log.Errorf("Error adding ACME certificate for domain %s: %s", domains, err.Error())
+				if err != nil {
-				continue
+					log.Errorf("Error adding ACME certificate for domain %s: %s", domains, err.Error())
-			}
+					continue
 				}
-			if err = transaction.Commit(account); err != nil {
+				if err = transaction.Commit(account); err != nil {
-				log.Errorf("Error Saving ACME account %+v: %s", account, err.Error())
+					log.Errorf("Error Saving ACME account %+v: %s", account, err.Error())
-				continue
+					continue
 				}
 			}
 		}
 		log.Infof("Retrieved ACME certificates")
 	}
 	log.Infof("Retrieved ACME certificates")
 }
-func (a *ACME) renewCertificates() error {
+func (a *ACME) renewCertificates() {
-	log.Debugf("Testing certificate renew...")
+	a.jobs.In() <- func() {
-	account := a.store.Get().(*Account)
+		log.Debugf("Testing certificate renew...")
-	for _, certificateResource := range account.DomainsCertificate.Certs {
+		account := a.store.Get().(*Account)
-		if certificateResource.needRenew() {
+		for _, certificateResource := range account.DomainsCertificate.Certs {
-			log.Debugf("Renewing certificate %+v", certificateResource.Domains)
+			if certificateResource.needRenew() {
-			renewedCert, err := a.client.RenewCertificate(acme.CertificateResource{
+				log.Debugf("Renewing certificate %+v", certificateResource.Domains)
-				Domain:        certificateResource.Certificate.Domain,
+				renewedCert, err := a.client.RenewCertificate(acme.CertificateResource{
-				CertURL:       certificateResource.Certificate.CertURL,
+					Domain:        certificateResource.Certificate.Domain,
-				CertStableURL: certificateResource.Certificate.CertStableURL,
+					CertURL:       certificateResource.Certificate.CertURL,
-				PrivateKey:    certificateResource.Certificate.PrivateKey,
+					CertStableURL: certificateResource.Certificate.CertStableURL,
-				Certificate:   certificateResource.Certificate.Certificate,
+					PrivateKey:    certificateResource.Certificate.PrivateKey,
-			}, true, OSCPMustStaple)
+					Certificate:   certificateResource.Certificate.Certificate,
-			if err != nil {
+				}, true, OSCPMustStaple)
-				log.Errorf("Error renewing certificate: %v", err)
+				if err != nil {
-				continue
+					log.Errorf("Error renewing certificate: %v", err)
-			}
+					continue
-			log.Debugf("Renewed certificate %+v", certificateResource.Domains)
+				}
-			renewedACMECert := &Certificate{
+				log.Debugf("Renewed certificate %+v", certificateResource.Domains)
-				Domain:        renewedCert.Domain,
+				renewedACMECert := &Certificate{
-				CertURL:       renewedCert.CertURL,
+					Domain:        renewedCert.Domain,
-				CertStableURL: renewedCert.CertStableURL,
+					CertURL:       renewedCert.CertURL,
-				PrivateKey:    renewedCert.PrivateKey,
+					CertStableURL: renewedCert.CertStableURL,
-				Certificate:   renewedCert.Certificate,
+					PrivateKey:    renewedCert.PrivateKey,
-			}
+					Certificate:   renewedCert.Certificate,
-			transaction, object, err := a.store.Begin()
+				}
-			if err != nil {
+				transaction, object, err := a.store.Begin()
-				return err
+				if err != nil {
-			}
+					log.Errorf("Error renewing certificate: %v", err)
-			account = object.(*Account)
+					continue
-			err = account.DomainsCertificate.renewCertificates(renewedACMECert, certificateResource.Domains)
+				}
-			if err != nil {
+				account = object.(*Account)
-				log.Errorf("Error renewing certificate: %v", err)
+				err = account.DomainsCertificate.renewCertificates(renewedACMECert, certificateResource.Domains)
-				continue
+				if err != nil {
-			}
+					log.Errorf("Error renewing certificate: %v", err)
 					continue
 				}
-			if err = transaction.Commit(account); err != nil {
+				if err = transaction.Commit(account); err != nil {
-				log.Errorf("Error Saving ACME account %+v: %s", account, err.Error())
+					log.Errorf("Error Saving ACME account %+v: %s", account, err.Error())
-				continue
+					continue
 				}
 			}
 		}
 	}
 	return nil
 }
 func dnsOverrideDelay(delay int) error {
@ -521,8 +519,9 @@ func (a *ACME) loadCertificateOnDemand(clientHello *tls.ClientHelloInfo) (*tls.C
 // LoadCertificateForDomains loads certificates from ACME for given domains
 func (a *ACME) LoadCertificateForDomains(domains []string) {
-	domains = fun.Map(types.CanonicalDomain, domains).([]string)
+	a.jobs.In() <- func() {
-	safe.Go(func() {
+		log.Debugf("LoadCertificateForDomains %s...", domains)
 		domains = fun.Map(types.CanonicalDomain, domains).([]string)
 		operation := func() error {
 			if a.client == nil {
 				return fmt.Errorf("ACME client still not built")
@ -576,7 +575,7 @@ func (a *ACME) LoadCertificateForDomains(domains []string) {
 			log.Errorf("Error Saving ACME account %+v: %v", account, err)
 			return
 		}
-	})
+	}
 }
 func (a *ACME) getDomainsCertificates(domains []string) (*Certificate, error) {
@ -597,3 +596,12 @@ func (a *ACME) getDomainsCertificates(domains []string) (*Certificate, error) {
 		Certificate:   certificate.Certificate,
 	}, nil
 }
 func (a *ACME) runJobs() {
 	safe.Go(func() {
 		for job := range a.jobs.Out() {
 			function := job.(func())
 			function()
 		}
 	})
 }
--- a/cluster/datastore.go
+++ b/cluster/datastore.go
@ -231,21 +231,21 @@ func (s *datastoreTransaction) Commit(object Object) error {
 	s.localLock.Lock()
 	defer s.localLock.Unlock()
 	if s.dirty {
-		return fmt.Errorf("transaction already used, please begin a new one")
+		return fmt.Errorf("Transaction already used, please begin a new one")
 	}
 	s.Datastore.meta.object = object
 	err := s.Datastore.meta.Marshall()
 	if err != nil {
-		return err
+		return fmt.Errorf("Marshall error: %s", err)
 	}
 	err = s.kv.StoreConfig(s.Datastore.meta)
 	if err != nil {
-		return err
+		return fmt.Errorf("StoreConfig error: %s", err)
 	}
 	err = s.remoteLock.Unlock()
 	if err != nil {
-		return err
+		return fmt.Errorf("Unlock error: %s", err)
 	}
 	s.dirty = true
--- a/glide.lock
+++ b/glide.lock
@ -1,5 +1,5 @@
-hash: 0d092f94db69882e79d229c34b9483899e1208eaa7dd0acdd5184635cb0cdaaa
+hash: ccd56edd81d054a00b23493227ff0765b020aa1de24f8a9d9ff54a05c0223885
-updated: 2017-01-12T12:31:31.35220213+01:00
+updated: 2017-02-03T09:45:05.719219148+01:00
 imports:
 - name: bitbucket.org/ww/goautoneg
  version: 75cd24fc2f2c2a2088577d12123ddee5f54e0675
@ -213,6 +213,10 @@ imports:
  - store/zookeeper
 - name: github.com/donovanhide/eventsource
  version: fd1de70867126402be23c306e1ce32828455d85b
 - name: github.com/eapache/channels
  version: 47238d5aae8c0fefd518ef2bee46290909cf8263
 - name: github.com/eapache/queue
  version: 44cc805cf13205b55f69e14bcb69867d1ae92f98
 - name: github.com/edeckers/auroradnsclient
  version: 8b777c170cfd377aa16bb4368f093017dddef3f9
  subpackages:
--- a/glide.yaml
+++ b/glide.yaml
@ -118,3 +118,4 @@ import:
  version: v0.3.0
  subpackages:
  - metrics
 - package: github.com/eapache/channels