Evict unused unmanaged certs from cache on reload

2024-04-28 08:55:00 +02:00 · 2023-11-20 15:40:42 +01:00 · 2023-11-20 15:40:42 +01:00 · 37aeff9b6d
parent bbdaec6b98
commit 37aeff9b6d
1 changed files with 17 additions and 4 deletions
--- a/server.go
+++ b/server.go
@ -46,8 +46,9 @@ type Server struct {
 	ACMEIssuer *certmagic.ACMEIssuer
 	ACMEConfig *certmagic.Config

-	acmeCache  *acmeCache
-	cancelACME context.CancelFunc
+	acmeCache       *acmeCache
+	cancelACME      context.CancelFunc
+	unmanagedHashes []string
 }

 func NewServer() *Server {
@ -92,10 +93,11 @@ func (srv *Server) startACME() error {
 	srv.acmeCache.config.Store(srv.ACMEConfig)

 	for _, cert := range srv.UnmanagedCerts {
-		_, err := srv.ACMEConfig.CacheUnmanagedTLSCertificate(ctx, cert, nil)
+		hash, err := srv.ACMEConfig.CacheUnmanagedTLSCertificate(ctx, cert, nil)
 		if err != nil {
 			return fmt.Errorf("failed to cache unmanaged TLS certificate: %v", err)
 		}
+		srv.unmanagedHashes = append(srv.unmanagedHashes, hash)
 	}

 	if err := srv.ACMEConfig.ManageAsync(ctx, srv.ManagedNames); err != nil {
@ -183,7 +185,18 @@ func (srv *Server) Replace(old *Server) error {
 	}
 	srv.acmeCache.cache.RemoveManaged(removeManaged)

-	// TODO: evict unused unmanaged certs from the cache
+	// Cleanup unmanaged certs which are no longer used
+	unmanaged := make(map[string]struct{}, len(srv.unmanagedHashes))
+	for _, hash := range srv.unmanagedHashes {
+		unmanaged[hash] = struct{}{}
+	}
+	removeUnmanaged := make([]string, 0, len(old.unmanagedHashes))
+	for _, hash := range old.unmanagedHashes {
+		if _, ok := unmanaged[hash]; !ok {
+			removeUnmanaged = append(removeUnmanaged, hash)
+		}
+	}
+	srv.acmeCache.cache.Remove(removeUnmanaged)

 	return nil
 }