From f8542ebcee1bf7f979cb8cb970078013a6996170 Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Thu, 18 Feb 2021 18:09:37 +0100
Subject: [PATCH] Unmanage certificates when no longer needed

---
 server.go | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/server.go b/server.go
index ed392d3..83646b4 100644
--- a/server.go
+++ b/server.go
@@ -119,7 +119,6 @@ func (srv *Server) Start() error {
 
 func (srv *Server) Stop() {
 	srv.cancelACME()
-	// TODO: clean cached unmanaged certs
 	for _, ln := range srv.Listeners {
 		ln.Stop()
 	}
@@ -154,7 +153,6 @@ func (srv *Server) Replace(old *Server) error {
 		}
 		return fmt.Errorf("failed to start ACME: %v", err)
 	}
-	// TODO: clean cached unmanaged certs
 
 	// Take over existing listeners and terminate old ones
 	for addr, oldLn := range old.Listeners {
@@ -165,6 +163,21 @@ func (srv *Server) Replace(old *Server) error {
 		}
 	}
 
+	// Cleanup managed certs which are no longer used
+	managed := make(map[string]struct{}, len(old.ManagedNames))
+	for _, name := range srv.ManagedNames {
+		managed[name] = struct{}{}
+	}
+	unmanage := make([]string, 0, len(old.ManagedNames))
+	for _, name := range old.ManagedNames {
+		if _, ok := managed[name]; !ok {
+			unmanage = append(unmanage, name)
+		}
+	}
+	srv.ACMEConfig.Unmanage(unmanage)
+
+	// TODO: evict unused unmanaged certs from the cache
+
 	return nil
 }