Integrate CertFetcher with flag-protection into AMP Packager. #349
Conversation
… Update certcache to use certfetcher if cert autorenew is turned on. Update certloader.PopulateCertCache to instantiate certfetcher and pass it on to certcache instance.
… Update certcache to use certfetcher if cert autorenew is turned on. Update certloader.PopulateCertCache to instantiate certfetcher and pass it on to certcache instance.
packager/certcache/certcache.go
Outdated
| // How often to check if certs needs updating. | ||
| const CertCheckInterval = 24 * time.Hour | ||
|
|
||
| // Recommended renewal duration for certs. |
There was a problem hiding this comment.
Maybe clarify in the comments that this is the duration before the next expiry rather than the duration after the last renewal.
| } | ||
| d, err := util.GetDurationToExpiry(this.certs[0], this.certs[0].NotAfter) | ||
| if err != nil { | ||
| // Current cert is already invalid. Check if renewal is available. |
There was a problem hiding this comment.
Consider using TODO to mark places for the follow-on changes.
There was a problem hiding this comment.
I already try to do this, what you pointed out is code I missed updating and now fixed. Thanks!
…address comments from gregable@.
…p autorenewcert config parsing.
…e loaded by non-auto-renewing amppackager instances.
…e gateway server dir. Re-ran go mod tidy.
packager/certcache/certcache.go
Outdated
| // If renewedCerts is set, copy that over to certs | ||
| // and set renewedCerts to nil. | ||
| // TODO(banaag): do the same cert setting dance on disk. | ||
| // Purge OCSP cache? Make shouldUpdateOCSP() return true? |
There was a problem hiding this comment.
Ooh, don't forget TODO this (future PR OK).
There was a problem hiding this comment.
I did the cert setting dance on disk. The Purge OCSP cache can be a future PR.
| certs []*x509.Certificate | ||
| // If certFetcher is not set, that means cert auto-renewal is not available. | ||
| certFetcher *certfetcher.CertFetcher | ||
| renewedCertsMu sync.RWMutex |
There was a problem hiding this comment.
- The certName should change on a cert renewal (the sha256 computed by util.CertName is different), I think? So I think we need a CertCache.renewedCertName field also.
- I think we need to put any reads/writes of certName and renewedCertName under their respective RWMutex.
packager/certcache/certcache.go
Outdated
| log.Println("Error trying to fetch new certificates from CA: ", err) | ||
| return | ||
| } | ||
| this.setNewCerts(certs) |
There was a problem hiding this comment.
This logic seems incorrect to me; sorry if I read it wrong. AFAICT:
- 8 days before expiry, this code runs and creates the new cert file. Nothing uses it yet.
- 1 day later, maintainCerts calls this function again, which will lead down here to another call to FetchNewCert. Ditto daily.
- Finally, maintainCerts calls this function and the old cert is expired, at which point the new cert is copied on top of it.
Step 2 seems like it'll make multiple redundant ACME requests for a cert.
Step 3 seems like it's happening at the wrong time (both too soon and too late). It seems like we should wait until we can get a GOOD OCSP response for it, and then immediately start serving it and using it to sign SXGs, so that we don't enter that 7-day period when we can't sign SXGs that last long enough.
There was a problem hiding this comment.
Let me think about this and our offline discussion about OCSP checks and send a follow-up PR when it's done. Thanks!
… I will address in a later commit.
There was a problem hiding this comment.
OK, I don't want to block you any more than I already have (sorry!) so I'll approve with a few remaining changes you can make before merging.
Before recommending this to users, though, I would like to see:
- A lot more test coverage (future PR OK). This adds some new functions with a lot of branching paths, and also complex interactions between functions based on the timing of the various go routines, or when things happen on the ACME or OCSP server, or when things happen on another AMP Packager.
- Go over your TODOs again, to see if there's anything we missed (future PR OK). For example, I recall we were supposed to present the TOS as part of the initial setup process (certfetcher.go).
packager/certcache/certcache.go
Outdated
| @@ -234,6 +237,9 @@ func (this *CertCache) ocspMidpoint(bytes []byte, issuer *x509.Certificate) (tim | |||
|
|
|||
| func (this *CertCache) ServeHTTP(resp http.ResponseWriter, req *http.Request) { | |||
| params := mux.Params(req) | |||
|
|
|||
| this.certsMu.Lock() | |||
There was a problem hiding this comment.
Should this be RLock/RUnlock? The only use of this.certs is a read, down on line 333.
Also, should it be closer to the read (i.e. inside the for loop)?
There was a problem hiding this comment.
This is already RLock and RUnlock in the current version (maybe you were looking at an older file?). Also, this is supposed to guard the read on this.certName. In the current version, I don't see anything on line 333 that needs to be guarded.
| @@ -475,22 +481,50 @@ func (this *CertCache) findIssuer() *x509.Certificate { | |||
| return nil | |||
| } | |||
|
|
|||
| // Finds the issuer of the specified cert (i.e. the second from the bottom of the | |||
| // chain). | |||
| func (this *CertCache) findIssuerUsingCerts(certs []*x509.Certificate) *x509.Certificate { | |||
There was a problem hiding this comment.
Eliminate the duplication: implement findIssuer() using this.
| @@ -669,30 +718,61 @@ func (this *CertCache) updateCertIfNecessary() { | |||
| this.setCerts(certs) | |||
There was a problem hiding this comment.
Should this one have an OCSP cache purge, too? If so, maybe move the certloader.RemoveFile call inside the setCerts impl.
packager/certcache/certcache.go
Outdated
| d := time.Duration(0) | ||
| err := errors.New("") | ||
| if this.hasCert() { | ||
| d, err = util.GetDurationToExpiry(this.certs[0], time.Now()) | ||
| } |
There was a problem hiding this comment.
Ran go fmt certcache.go
packager/certcache/certcache.go
Outdated
| d := time.Duration(0) | ||
| err := errors.New("") |
There was a problem hiding this comment.
I'm not a fan of having these incorrect default values. Perhaps it's worth extracting the first half of this function as a:
func (this *CertCache) doesCertNeedReloading() bool {
if !this.hasCert() { return true }
d, err := ...
return err != nil || d < certRenewalInterval
}
packager/certloader/certloader.go
Outdated
| issuer := certToPEM(certs[1]) | ||
| bundled := append(cert, issuer...) | ||
| certLen := len(certs) | ||
| bundled := make([]byte, 0, 0) |
packager/certloader/certloader.go
Outdated
| bundled := append(cert, issuer...) | ||
| certLen := len(certs) | ||
| bundled := make([]byte, 0, 0) | ||
| for i := 0; i < certLen - 1; i++ { |
There was a problem hiding this comment.
Can you just change certLen - 1 to certLen and get rid of the special case issuer after the loop? Better still use for _, cert := range certs {.
packager/certloader/certloader.go
Outdated
| cert := certToPEM(certs[i]) | ||
| bundled = append(bundled, cert...) | ||
| } | ||
| issuer := certToPEM(certs[certLen]) |
There was a problem hiding this comment.
Won't certs[certLen] cause an out-of-range error?
Also, FYI, other than the leaf cert being at position 0, there's no ordering requirement for the rest of the certs array. The issuer cert can be any of the subsequent certs. (Hence why findIssuer() exists.)
There was a problem hiding this comment.
Ok fixed in previous comment. Good to know about issuer position.
packager/certcache/certcache.go
Outdated
| } else { | ||
| var ocspUpdateAfter time.Time | ||
|
|
||
| ocsp, _, errorOcsp := this.readOCSP(true) |
There was a problem hiding this comment.
It's Go style to capitalize the initialisms inside camel-case, e.g. errorOCSP and newOCSP. (But keep it lowercase if it's the first one, like ocspUpdateAfter.)
packager/certcache/certcache.go
Outdated
|
|
||
| ocsp, _, errorOcsp := this.readOCSP(true) | ||
| if errorOcsp != nil { | ||
| newOcsp := this.fetchOCSP(ocsp, this.renewedCerts, &ocspUpdateAfter, false) |
There was a problem hiding this comment.
AFAICT, this is going to try to fetch the OCSP response for the new cert once a day, rather than using the backoff retry logic you added to readOCSP. Is that desired? Maybe that's OK for now, but can you add a TODO to revisit?
I realize it's difficult to use readOCSP here, since it's hard-coded to use this.certs and friends, rather than this.renewedCerts and friends. That makes me think two things:
- The extraction of the retry logic from readOCSP would be useful.
- We should bundle certName, certs, certsMu, ocspFile, ocspFilePath, ocspUpdateAfter, and ocspUpdateAfterMu into a new struct type, and then have two copies of that in certcache - one for current certs and one for new certs.
OK for future PR... TODO? 🐑 😁
There was a problem hiding this comment.
The logic for the certs is by design and is as follows:
updateCertIfNecessary() will be called:
- On demand, during initialization or when GetLatestCert() is called and we already have an expired cert.
- Every 'certCheckInterval' hours (currently every 24 hours).
The logic for retries in readOCSP is specific to just reading OCSP and retrying when we got a new cert because of Digicert's setup.
Inside updateCertIfNecessary, there's a case where we already got the renewalCert (waiting in this.renewedCerts) and in this case, we make sure we also get the OCSP by calling readOCSP with retries set to true.
I understand your suggestion of possibly reusing the readOCSP retry logic in this edge case, but given that the updateCertIfNecessary() calls are a day apart, chances are the fetchOCSP might fail the first time, but will succeed the next day. Given that, it will still be nice-to-have the refactor of readOCSP so I added this as a TODO.
| // Callers can use the uninitialized CertCache for testing certificates (without doing OCSP or | ||
| // cert refreshes). | ||
| func New(certs []*x509.Certificate, certFetcher *certfetcher.CertFetcher, domains []string, | ||
| certFile string, newCertFile string, ocspCache string) *CertCache { |
There was a problem hiding this comment.
Consider this comment optional.
The long argument list makes the callsites tricky to read and easy to get wrong, especially if several of the arguments have the same type.
An alternative pattern would be to create an IsInitialized() bool or similarly named function that verifies all of the required fields have been set. Then callers can just set fields in the struct by name and assert IsInitialized before doing anything with it.
packager/certcache/certcache.go
Outdated
| continue | ||
| } | ||
| } | ||
| if len(ocsp) == 0 { |
There was a problem hiding this comment.
You have 3 places in this method that catch different error cases and trigger the numTries++;continue logic.
Consider extracting a method that does the ocsp read, checks all of the conditions (read error, empty file, unhealthy ocsp) and returns an error on any. This method and for loop then just implements the retry on error logic, but only needs a single condition/continue block.
| } else { | ||
| break | ||
| } | ||
| numTries++ |
There was a problem hiding this comment.
Is this reachable?
The previous condition block starting l.367 always exists I think.
There was a problem hiding this comment.
Fixed with refactor from comment above.
| // Wait using exponential backoff. | ||
| log.Printf("Waiting for %d minute(s)\n", waitTimeInMinutes) | ||
| waitTimeDuration := time.Duration(waitTimeInMinutes) * time.Minute | ||
| // For exponential backoff. |
There was a problem hiding this comment.
There is no "right" read pattern, so feel free to ignore as bikeshedding.
I think that the cost of making an OCSP request to the CA is reasonably low enough that we could do it every minute or 10 until it succeeds or we time out.
With this backoff, the last lookup is 8hrs apart? Seems excessively long to wait. I'd consider something like every 30s for 5 minutes, and then every 5 minutes for the next 12 hrs.
There was a problem hiding this comment.
I changed the logic so that it caps the wait time at 10 minutes, max.
| domains []string, acmeChallengePort int, shouldRegister bool) (*CertFetcher, error) { | ||
| func New(email string, certSignRequest *x509.CertificateRequest, privateKey crypto.PrivateKey, | ||
| acmeDiscoURL string, httpChallengePort int, httpChallengeWebRoot string, | ||
| tlsChallengePort int, dnsProvider string, shouldRegister bool) (*CertFetcher, error) { |
There was a problem hiding this comment.
optional again. Same thought here about breaking this up. Callsite could have some structure like:
fetcher := CertFetcher()
fetcher.setUser(email, privateKey)
fetcher.bindToPort(port)
|
Fixed @Gregable comments. PTAL. |
| @@ -107,6 +107,12 @@ type CertCache struct { | |||
| // Callers need to call Init() on the returned CertCache before the cache can auto-renew certs. | |||
| // Callers can use the uninitialized CertCache for testing certificates (without doing OCSP or | |||
| // cert refreshes). | |||
| // | |||
| // TODO(banaag): per greigable@ comments: | |||
There was a problem hiding this comment.
Will address in follow-up PR #369
|
|
||
| return ocsp, ocspUpdateAfter, nil | ||
| } | ||
|
|
||
| // Returns the OCSP response and expiry, refreshing if necessary. | ||
| // TODO(banaag): Per twifkak's suggestion, consider: | ||
| // It may also be interesting to try to separate the retry logic from the fetch logic. One approach comes to mind: |
There was a problem hiding this comment.
I think you just did this TODO, essentially?
There was a problem hiding this comment.
Will address in follow-up PR #369
| @@ -396,6 +411,10 @@ func waitForSpecifiedTime(waitTimeInMinutes int, numRetries int) int { | |||
| waitTimeDuration := time.Duration(waitTimeInMinutes) * time.Minute | |||
| // For exponential backoff. | |||
| newWaitTimeInMinutes := 2 * waitTimeInMinutes | |||
| if newWaitTimeInMinutes > 10 { | |||
| // Cap the wait time at 10 minutes. | |||
| newWaitTimeInMinutes = 10 | |||
There was a problem hiding this comment.
Per this change, the comment on maxOCSPTries needs to be updated.
There was a problem hiding this comment.
Will address in follow-up PR #369
First pass at updating amppkg.example.toml to document new experimental ACME support, implemented in #349 and others.
Update certcache to use certfetcher if cert autorenew is turned on.
Update ACME config to include email adddress and acme challenge port.
Update certloader.PopulateCertCache to instantiate certfetcher and pass it on to certcache instance.
Update all relevant tests.