acme/autocert: fix renewal timer issue

rolandshoemaker · rolandshoemaker · commit 4ba4fb4dd9e7 · 2022-09-24T01:33:50.000Z
Block when creating the renewal timer, rather than doing it in a goroutine. This fixes an issue where startRenew and stopRenew are called very closely together, and due to lock ordering, stopRenew may be called before startRenew, resulting in the appearance that the renewal timer has been stopped before it has actually been created. This is only an issue in tests, as that is the only place stopRenew is actually used. In particular this issue manifests in TestGetCertiifcate sub-tests, where a httptest server reuses a port across two of the sub-tests. In this case, the renewal calls end up creating dirty state for the subsequent test, which can cause confusing behavior (such as attempting to register an account twice.) Another solution to this problem would be introducing a bool, protected by renewalMu, which indicates if renewal has been halted, and to check it in startRenew to check if stopRenew has already been called, which would allow us to continue calling startRenew in a goroutine and relying on renewalMu locking for ordering. That said I don't see a particularly strong reason to call startRenew concurrently, so this seems like the simplest solution for now. Fixes golang/go#52494 Change-Id: I95420d3fd877572a0b9e408d2f8cd353f6a4e80e Reviewed-on: https://go-review.googlesource.com/c/crypto/+/433016 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org> Reviewed-by: Bryan Mills <bcmills@google.com>
diff --git a/acme/autocert/autocert.go b/acme/autocert/autocert.go
@@ -463,7 +463,7 @@ func (m *Manager) cert(ctx context.Context, ck certKey) (*tls.Certificate, error
 		leaf: cert.Leaf,
 	}
 	m.state[ck] = s
-	go m.startRenew(ck, s.key, s.leaf.NotAfter)
+	m.startRenew(ck, s.key, s.leaf.NotAfter)
 	return cert, nil
 }
 
@@ -609,7 +609,7 @@ func (m *Manager) createCert(ctx context.Context, ck certKey) (*tls.Certificate,
 	}
 	state.cert = der
 	state.leaf = leaf
-	go m.startRenew(ck, state.key, state.leaf.NotAfter)
+	m.startRenew(ck, state.key, state.leaf.NotAfter)
 	return state.tlscert()
 }
 
diff --git a/acme/autocert/autocert_test.go b/acme/autocert/autocert_test.go
@@ -382,7 +382,7 @@ func TestGetCertificate(t *testing.T) {
 			},
 		},
 		{
-			name:   "expiredCache",
+			name:   "almostExpiredCache",
 			hello:  clientHelloInfo("example.org", algECDSA),
 			domain: "example.org",
 			prepare: func(t *testing.T, man *Manager, s *acmetest.CAServer) {

Original file line number	Diff line number	Diff line change
`@@ -463,7 +463,7 @@ func (m Manager) cert(ctx context.Context, ck certKey) (tls.Certificate, error`
`463`	`463`	`leaf: cert.Leaf,`
`464`	`464`	`}`
`465`	`465`	`m.state[ck] = s`
`466`		`- go m.startRenew(ck, s.key, s.leaf.NotAfter)`
	`466`	`+ m.startRenew(ck, s.key, s.leaf.NotAfter)`
`467`	`467`	`return cert, nil`
`468`	`468`	`}`
`469`	`469`
`@@ -609,7 +609,7 @@ func (m Manager) createCert(ctx context.Context, ck certKey) (tls.Certificate,`
`609`	`609`	`}`
`610`	`610`	`state.cert = der`
`611`	`611`	`state.leaf = leaf`
`612`		`- go m.startRenew(ck, state.key, state.leaf.NotAfter)`
	`612`	`+ m.startRenew(ck, state.key, state.leaf.NotAfter)`
`613`	`613`	`return state.tlscert()`
`614`	`614`	`}`
`615`	`615`
Original file line number	Diff line number	Diff line change
`@@ -382,7 +382,7 @@ func TestGetCertificate(t *testing.T) {`
`382`	`382`	`},`
`383`	`383`	`},`
`384`	`384`	`{`
`385`		`- name: "expiredCache",`
	`385`	`+ name: "almostExpiredCache",`
`386`	`386`	`hello: clientHelloInfo("example.org", algECDSA),`
`387`	`387`	`domain: "example.org",`
`388`	`388`	`prepare: func(t testing.T, man Manager, s *acmetest.CAServer) {`