How to get cache when using default config?

[teleclimber]

What is your question?

I am upgrading to the latest certmagic, and have to adjust my code given the loss of Config.Unmanage(). In my simple use of certmagic I create it using certmagic.NewDefault(), meaning I don't create the cache in my code.

The release notes say I should replace Unmanage with Cache.RemoveManaged(). But I don't have the cache.

I looked at the docs and I don't see a getter for the cache in Config.

What have you already tried?

I could try creating a default cache myself, stashing a pointer to it, and using that when I need to stop managing a cert. But that would defeat the convenience of NewDefault.

I am wondering if I missed something, or if there should maybe be a getter for the Cache in Config. Or it could be exported? It's the only non-exported field in the config.

Bonus: What do you use this package for, and does it help you?

I'm happily using certmagic in my project Dropserver.

https://github.com/teleclimber/Dropserver/blob/9585ea716ba59ddb3feeab09ff10841238be1af0/cmd/ds-host/certificatemanager.go/certificatemanager.go#L108

Thanks!

[mholt]

It's unexported to avoid it being changed, etc.

If you have such an advanced use case that you need to remove certs from the cache, why not just make your own cache?

[teleclimber]

Sure I can understand that this shouldn't get changed. I can totally build my own cache. I was just asking because it seemed weird (as in a step in the wrong direction) that the change to cache.RemoveManaged() has the side effect of preventing use of NewDefault.

But maybe I'm doing this all wrong. In my case users can stop using a subdomain, and as such the certificate should "go away" (deleted and no longer renewed). Is Revoke() what I should be using here? Presumably using cessationOfOperation reason code? I've never "revoked" a cert when I stopped using it, but it seems this is the correct thing to do?

Thanks.

[mholt]

I guess we could consider putting RemoveManaged() onto the Config instead of the cache... hmm, I'll look into it.

But maybe I'm doing this all wrong. In my case users can stop using a subdomain, and as such the certificate should "go away" (deleted and no longer renewed).

If you don't control the domains (i.e. they are their domains) then you should use on-demand TLS, which will do all this for you :+1:

It's unusual to need to stop cert management with the same config otherwise. But I can still look into this if on-demand TLS really isn't the right thing for you.

[teleclimber]

If you don't control the domains (i.e. they are their domains) then you should use on-demand TLS, which will do all this for you 👍

In Dropserver's case, people run their own instances, and use subdomains of domains that they own. It's not a service that I run where anybody from the public can use it with their domain.

Maybe on-demand TLS would work, but the Dropserver instance knows when a new subdomain is created to serve an app, and when it's deleted. So it seems natural to hook in to those events to create and remove certificates.

[mholt]

Hm, I see. I'll look into refactoring this when I have a chance :+1: