[tor-commits] [snowflake/master] Add a DirCache for certificates under TOR_PT_STATE_LOCATION.

dcf at torproject.org dcf at torproject.org
Fri Mar 31 02:16:53 UTC 2017


commit 1f8be86a01bcd322ee89c1d1b749406d4b03273c
Author: David Fifield <david at bamsoftware.com>
Date:   Sat Jan 21 14:10:10 2017 -0800

    Add a DirCache for certificates under TOR_PT_STATE_LOCATION.
    
    This way, we don't lose state of certificates every time the process is
    restarted. There's a possibility, otherwise, that if you have to restart
    the server rapidly, you might run into Let's Encrypt rate limits and be
    unable to create a cert for a while.
    https://godoc.org/rsc.io/letsencrypt#hdr-Persistent_Storage
---
 server/server.go | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/server/server.go b/server/server.go
index 62f166d..aec9b51 100644
--- a/server/server.go
+++ b/server/server.go
@@ -19,6 +19,7 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
+	"path/filepath"
 	"strings"
 	"sync"
 	"syscall"
@@ -216,6 +217,14 @@ func startServer(ln net.Listener) (net.Listener, error) {
 	return ln, nil
 }
 
+func getCertificateCacheDir() (string, error) {
+	stateDir, err := pt.MakeStateDir()
+	if err != nil {
+		return "", err
+	}
+	return filepath.Join(stateDir, "snowflake-certificate-cache"), nil
+}
+
 func main() {
 	var acmeEmail string
 	var acmeHostnamesCommas string
@@ -253,10 +262,21 @@ func main() {
 	var certManager *autocert.Manager
 	if !disableTLS {
 		log.Printf("ACME hostnames: %q", acmeHostnames)
+
+		var cache autocert.Cache
+		cacheDir, err := getCertificateCacheDir()
+		if err == nil {
+			log.Printf("caching ACME certificates in directory %q", cacheDir)
+			cache = autocert.DirCache(cacheDir)
+		} else {
+			log.Printf("disabling ACME certificate cache: %s", err)
+		}
+
 		certManager = &autocert.Manager{
 			Prompt:     autocert.AcceptTOS,
 			HostPolicy: autocert.HostWhitelist(acmeHostnames...),
 			Email:      acmeEmail,
+			Cache:      cache,
 		}
 	}
 





More information about the tor-commits mailing list