search

caddyserver / certmagic

Automatic HTTPS for any Go program: fully-managed TLS certificate issuance and renewal
https://pkg.go.dev/github.com/caddyserver/certmagic?tab=doc
Apache License 2.0
4.89k stars 278 forks source link

DecisionFunc and certificate clean up #258

Closed RonniSkansing closed 7 months ago

RonniSkansing commented 7 months ago

What is your question?

When using the certmagic.OnDemandConfig does certmagic automatically clean up certificate storage, when a domain is no longer allowed?

Example:

certmagic.Default.OnDemand = &certmagic.OnDemandConfig{
    DecisionFunc: func(name string) error {
            // check in DB if name should have managed TLS
            isAllowed := check(name)
            if !isAllowed {
              // will a previously allowed domain be cleaned up when it changes 
              // from allowed to not allowed?
              return fmt.Errorf("Not allowed: %s", name)
            }
            return nil
    },
}

Also, I am assuming caching does so the DecisionFunc is not call everytime when a name has been allowed. So when a domain goes from being allowed to not allowed, is there a function or logic that must be followed to bust the cache for that name, should I manually revoke and/or delete the certificate files?

What have you already tried?

I tried looking into the source files, but been unable to conclude the exact behavior or how it is handled with DecisionFunc

francislavoie commented 7 months ago

The unused cert will stay in storage until it expires, then it will be deleted once expired. So it'll stay in storage for up to 90 days.

mholt commented 7 months ago

We wait until some time after it expires just in case it's useful to have around for any sort of investigations but yeah, it'll be cleaned up automatically later.

Do NOT revoke certificates unless a private key has been compromised.