1 // Copyright 2016 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
14 // renewJitter is the maximum deviation from Manager.RenewBefore.
15 const renewJitter = time.Hour
17 // domainRenewal tracks the state used by the periodic timers
18 // renewing a single domain's cert.
19 type domainRenewal struct {
28 // start starts a cert renewal timer at the time
29 // defined by the certificate expiration time exp.
31 // If the timer is already started, calling start is a noop.
32 func (dr *domainRenewal) start(exp time.Time) {
34 defer dr.timerMu.Unlock()
38 dr.timer = time.AfterFunc(dr.next(exp), dr.renew)
41 // stop stops the cert renewal timer.
42 // If the timer is already stopped, calling stop is a noop.
43 func (dr *domainRenewal) stop() {
45 defer dr.timerMu.Unlock()
53 // renew is called periodically by a timer.
54 // The first renew call is kicked off by dr.start.
55 func (dr *domainRenewal) renew() {
57 defer dr.timerMu.Unlock()
62 ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
64 // TODO: rotate dr.key at some point?
65 next, err := dr.do(ctx)
67 next = renewJitter / 2
68 next += time.Duration(pseudoRand.int63n(int64(next)))
70 dr.timer = time.AfterFunc(next, dr.renew)
71 testDidRenewLoop(next, err)
74 // do is similar to Manager.createCert but it doesn't lock a Manager.state item.
75 // Instead, it requests a new certificate independently and, upon success,
76 // replaces dr.m.state item with a new one and updates cache for the given domain.
78 // It may return immediately if the expiration date of the currently cached cert
79 // is far enough in the future.
81 // The returned value is a time interval after which the renewal should occur again.
82 func (dr *domainRenewal) do(ctx context.Context) (time.Duration, error) {
83 // a race is likely unavoidable in a distributed environment
84 // but we try nonetheless
85 if tlscert, err := dr.m.cacheGet(ctx, dr.domain); err == nil {
86 next := dr.next(tlscert.Leaf.NotAfter)
87 if next > dr.m.renewBefore()+renewJitter {
92 der, leaf, err := dr.m.authorizedCert(ctx, dr.key, dr.domain)
101 tlscert, err := state.tlscert()
105 dr.m.cachePut(ctx, dr.domain, tlscert)
107 defer dr.m.stateMu.Unlock()
108 // m.state is guaranteed to be non-nil at this point
109 dr.m.state[dr.domain] = state
110 return dr.next(leaf.NotAfter), nil
113 func (dr *domainRenewal) next(expiry time.Time) time.Duration {
114 d := expiry.Sub(timeNow()) - dr.m.renewBefore()
115 // add a bit of randomness to renew deadline
116 n := pseudoRand.int63n(int64(renewJitter))
117 d -= time.Duration(n)
124 var testDidRenewLoop = func(next time.Duration, err error) {}