`Cache` doesn't allow certificates to be replaced after first use

[mithrandi]

The cached certificate lasts forever, but in real use you're going to need to renew your certificate sooner or later, and having to restart all of the processes using the old cert once you renew isn't great.

I'm not really sure what the best way to tackle this is, maybe just giving the cache entries a TTL (say, an hour) is the simplest thing to do?

[glyph]

stat() at most once a minute, load if it's changed?

[warner]

This is especially interesting in the context of Lets Encrypt, where an easy way to manage the renewal is to just have a cron job re-run the letsencrypt client every week. One of my servers was failing for an embarrassingly long amount of time, when the cert had expired, but I hadn't restarted the server. I had been in the habit of rebooting the box every few weeks, so I'd never noticed the problem before: it was only when the box stayed up for several months without a reboot that the expired cert was used for too long.

Caching the stat() timestamp for a minute sounds fine to me. Given the my server's renewal rate and the letsencrypt cert-expiration time, I could personally handle caching it for up to a week without problems.

[glyph]

@warner - perhaps you should be using http://txacme.readthedocs.io/en/stable/ rather than running LE out of band? :)

[warner]

Thanks for the pointer. On one of my servers, there's a NameVirtualHost involved, with one domain that only serves the .well-known directory on behalf of an entirely different process (that speaks WebSockets on a different port). I haven't studied txacme enough to tell whether it can support that, but I'll dig into it next.

[mithrandi]

txacme doesn't help here unless your process is the one that owns port 443.

[warner]

nevermind: txacme completely solved my problems (assuming it correctly reloads the certs after it renews them, which I guess I'll find out in a few months). Awesome stuff!

[mithrandi]

The txacme endpoint is based around txsni, but does not use Cache at all due to this and other issues. (This incurs a performance hit, but ensures correct behaviour for the moment) However, if you are sharing a certificate store with other servers using the txsni endpoint, those servers will not get the new certs.

[glyph]

Fixed by #22 .