cloudflare/cloudflared
Publicmirrored from https://github.com/cloudflare/cloudflaredAvailable
tlsconfig/certreloader.go
62lines · modecode
| 1 | package tlsconfig |
| 2 | |
| 3 | import ( |
| 4 | "crypto/tls" |
| 5 | "errors" |
| 6 | "fmt" |
| 7 | "sync" |
| 8 | |
| 9 | tunnellog "github.com/cloudflare/cloudflared/log" |
| 10 | "github.com/getsentry/raven-go" |
| 11 | log "github.com/sirupsen/logrus" |
| 12 | "gopkg.in/urfave/cli.v2" |
| 13 | ) |
| 14 | |
| 15 | // CertReloader can load and reload a TLS certificate from a particular filepath. |
| 16 | // Hooks into tls.Config's GetCertificate to allow a TLS server to update its certificate without restarting. |
| 17 | type CertReloader struct { |
| 18 | sync.Mutex |
| 19 | certificate *tls.Certificate |
| 20 | certPath string |
| 21 | keyPath string |
| 22 | } |
| 23 | |
| 24 | // NewCertReloader makes a CertReloader, memorizing the filepaths in the context/flags. |
| 25 | func NewCertReloader(c *cli.Context, f CLIFlags) (*CertReloader, error) { |
| 26 | if !c.IsSet(f.Cert) { |
| 27 | return nil, errors.New("CertReloader: cert not provided") |
| 28 | } |
| 29 | if !c.IsSet(f.Key) { |
| 30 | return nil, errors.New("CertReloader: key not provided") |
| 31 | } |
| 32 | cr := new(CertReloader) |
| 33 | cr.certPath = c.String(f.Cert) |
| 34 | cr.keyPath = c.String(f.Key) |
| 35 | cr.LoadCert() |
| 36 | return cr, nil |
| 37 | } |
| 38 | |
| 39 | // Cert returns the TLS certificate most recently read by the CertReloader. |
| 40 | func (cr *CertReloader) Cert(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) { |
| 41 | cr.Lock() |
| 42 | defer cr.Unlock() |
| 43 | return cr.certificate, nil |
| 44 | } |
| 45 | |
| 46 | // LoadCert loads a TLS certificate from the CertReloader's specified filepath. |
| 47 | // Call this after writing a new certificate to the disk (e.g. after renewing a certificate) |
| 48 | func (cr *CertReloader) LoadCert() { |
| 49 | cr.Lock() |
| 50 | defer cr.Unlock() |
| 51 | |
| 52 | log.SetFormatter(&tunnellog.JSONFormatter{}) |
| 53 | log.Info("Reloading certificate") |
| 54 | cert, err := tls.LoadX509KeyPair(cr.certPath, cr.keyPath) |
| 55 | |
| 56 | // Keep the old certificate if there's a problem reading the new one. |
| 57 | if err != nil { |
| 58 | raven.CaptureError(fmt.Errorf("Error parsing X509 key pair: %v", err), nil) |
| 59 | return |
| 60 | } |
| 61 | cr.certificate = &cert |
| 62 | } |
| 63 | |