From 19f36667f75491f101b28b558551fc9639006f79 Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Tue, 17 Sep 2019 16:00:15 -0600 Subject: [PATCH] tls: Clean up expired OCSP staples and certificates --- go.mod | 2 +- go.sum | 4 +-- modules/caddytls/tls.go | 76 +++++++++++++++++++++++++++++++++++++++-- 3 files changed, 77 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 0e35662e..36457f42 100644 --- a/go.mod +++ b/go.mod @@ -18,7 +18,7 @@ require ( github.com/klauspost/compress v1.7.1-0.20190613161414-0b31f265a57b github.com/klauspost/cpuid v1.2.1 github.com/lucas-clemente/quic-go v0.7.1-0.20190908032346-fc962d18373a - github.com/mholt/certmagic v0.7.1 + github.com/mholt/certmagic v0.7.2 github.com/muhammadmuzzammil1998/jsonc v0.0.0-20190902132743-e4903c4dea48 github.com/rs/cors v1.6.0 github.com/russross/blackfriday/v2 v2.0.1 diff --git a/go.sum b/go.sum index da08824c..77d3eaf6 100644 --- a/go.sum +++ b/go.sum @@ -158,8 +158,8 @@ github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzp github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= github.com/mattn/go-tty v0.0.0-20180219170247-931426f7535a/go.mod h1:XPvLUNfbS4fJH25nqRHfWLMa1ONC8Amw+mIA639KxkE= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/mholt/certmagic v0.7.1 h1:nbSSVwvlDE3+vttD/RBikBIkxrlKVkIQOz449gCrG5Q= -github.com/mholt/certmagic v0.7.1/go.mod h1:hqHzDsY32TwZpj/KswVylheSISjquF/eOVOaJTYV15w= +github.com/mholt/certmagic v0.7.2 h1:i4FRZyM33Ke6UdTrq69hLSRq1xvqS83JQTkzzUWtuF4= +github.com/mholt/certmagic v0.7.2/go.mod h1:hqHzDsY32TwZpj/KswVylheSISjquF/eOVOaJTYV15w= github.com/miekg/dns v1.1.15 h1:CSSIDtllwGLMoA6zjdKnaE6Tx6eVUxQ29LUgGetiDCI= github.com/miekg/dns v1.1.15/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index df4631c4..1f05c1df 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -18,7 +18,9 @@ import ( "crypto/tls" "encoding/json" "fmt" + "log" "net/http" + "sync" "time" "github.com/caddyserver/caddy/v2" @@ -40,6 +42,8 @@ type TLS struct { certificateLoaders []CertificateLoader certCache *certmagic.Cache ctx caddy.Context + storageCleanTicker *time.Ticker + storageCleanStop chan struct{} } // CaddyModule returns the Caddy module information. @@ -121,6 +125,9 @@ func (t *TLS) Provision(ctx caddy.Context) error { } } + t.storageCleanTicker = time.NewTicker(storageCleanInterval) + t.storageCleanStop = make(chan struct{}) + return nil } @@ -140,16 +147,25 @@ func (t *TLS) Start() error { } t.Certificates = nil // allow GC to deallocate + t.keepStorageClean() + return nil } // Stop stops the TLS module and cleans up any allocations. func (t *TLS) Stop() error { + // stop the certificate cache if t.certCache != nil { - // TODO: ensure locks are cleaned up too... maybe in certmagic though t.certCache.Stop() } + + // stop the session ticket rotation goroutine t.SessionTickets.stop() + + // stop the storage cleaner goroutine and ticker + close(t.storageCleanStop) + t.storageCleanTicker.Stop() + return nil } @@ -200,12 +216,60 @@ func (t *TLS) getAutomationPolicyForName(name string) AutomationPolicy { return AutomationPolicy{Management: new(ACMEManagerMaker)} } -// CertificatesForSAN returns the list of all certificates in +// AllMatchingCertificates returns the list of all certificates in // the cache which could be used to satisfy the given SAN. func (t *TLS) AllMatchingCertificates(san string) []certmagic.Certificate { return t.certCache.AllMatchingCertificates(san) } +// keepStorageClean immediately cleans up all known storage units +// if it was not recently done, and starts a goroutine that runs +// the operation at every tick from t.storageCleanTicker. +func (t *TLS) keepStorageClean() { + go func() { + for { + select { + case <-t.storageCleanStop: + return + case <-t.storageCleanTicker.C: + t.cleanStorageUnits() + } + } + }() + t.cleanStorageUnits() +} + +func (t *TLS) cleanStorageUnits() { + storageCleanMu.Lock() + defer storageCleanMu.Unlock() + + if !storageClean.IsZero() && time.Since(storageClean) < storageCleanInterval { + return + } + + options := certmagic.CleanStorageOptions{ + OCSPStaples: true, + ExpiredCerts: true, + ExpiredCertGracePeriod: 24 * time.Hour * 14, + } + + // start with the default storage + certmagic.CleanStorage(t.ctx.Storage(), options) + + // then clean each storage defined in ACME automation policies + for _, ap := range t.Automation.Policies { + if acmeMgmt, ok := ap.Management.(ACMEManagerMaker); ok { + if acmeMgmt.storage != nil { + certmagic.CleanStorage(acmeMgmt.storage, options) + } + } + } + + storageClean = time.Now() + + log.Println("[INFO] tls: Cleaned up storage unit(s)") +} + // CertificateLoader is a type that can load certificates. // Certificates can optionally be associated with tags. type CertificateLoader interface { @@ -301,4 +365,12 @@ var ( } ) +// Variables related to storage cleaning. +var ( + storageCleanInterval = 12 * time.Hour + + storageClean time.Time + storageCleanMu sync.Mutex +) + const automateKey = "automate"