v0.2.4 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Feb 21, 2023 License: MIT Imports: 21 Imported by: 0




View Source
const (
	// If we get told TryLater by an OCSP server, how long that is
	RetryOnTryLater = 30 * time.Minute

	// If an OCSP staple is missing any timers, how often we'll retry instead
	RetryMissingTimers = 24 * time.Hour

	// If a newly issued staple appear to have already expired, how long until
	// we try again
	RetryOnAlreadyExpired = 15 * time.Minute

	// If we're after T1 timer, how often to retry
	RetryAfterT1 = time.Hour

	// How long we wait between renew checks if we somehow failed to find any timers
	SweepIntervalTimerless = 24 * time.Hour

Retry times always have jitter adjustments to avoid phase lock synchronization of requests.

View Source
const (
	MIMETypeOCSPRequest = "application/ocsp-request"
View Source
const MaxCertFileSize = 1024 * 1024 // not processing a cert file larger than 1MB
View Source
const NoOCSPExtension = ".noocsp"


View Source
var (
	ErrEmptyFilename = errors.New("derived an empty filename")
	ErrEmptyStaple   = errors.New("staple is empty")
View Source
var (
	ErrCertAlreadyExpired = errors.New("refuse to fetch OCSP staple for expired cert")
	ErrNoIssuer           = errors.New("unable to find an issuer to validate any OCSP response")
	ErrHTTPFailure        = errors.New("HTTP failure retrieving OCSP staple")
	ErrOCSPProblem        = errors.New("unexpected OCSP problem")
	ErrTryLater           = errors.New("OCSP said tryLater")
View Source
var (
	ErrNoOCSPFlagfile   = errors.New("a .noocsp flag-file prevented action")
	ErrNoCertsFound     = errors.New("no certificate files found in a directory")
	ErrCertFileTooLarge = errors.New("certificate file too large")
	ErrNotCertificate   = errors.New("no certificate found in file")
	ErrNoOCSPInCert     = errors.New("certificate lacks OCSP information")
View Source
var (
	ExcludeExtensions = []string{


This section is empty.


type CertRenewal

type CertRenewal struct {

	ActionID uint32
	// contains filtered or unexported fields

func (*CertRenewal) CertLogAtf

func (cr *CertRenewal) CertLogAtf(level uint, spec string, args ...interface{})

func (*CertRenewal) CertLogf

func (cr *CertRenewal) CertLogf(spec string, args ...interface{})

type Config

type Config struct {
	HTTPStatus        string  // host:port listen spec
	Directories       bool    // whether InputPaths denotes directories or not
	OutputDir         string  // where to place generated OCSP staples
	Extension         string  // filename extension to put on staples
	TimerT1           float64 // how far through staple validity period to start trying to renew
	Immediate         bool    // renew on start-up, independent of timers
	AllowNonOCSPInDir bool    // just skip any certs which lack OCSP information
	CertExtensions    string  // when scanning dirs, files with one of these extensions is assumed to be a cert
	HTTPUserAgent     string  // HTTP User-Agent to send
	InputPaths        []string
	// contains filtered or unexported fields

type Renewer

type Renewer struct {

	// Modify HTTPClient if your application requires that; it defaults to http.DefaultClient
	HTTPClient *http.Client
	// contains filtered or unexported fields

func New

func New(c Config) (*Renewer, error)

func (*Renewer) BasicChecks

func (r *Renewer) BasicChecks() error

BasicChecks does whatever checks the renewer library considers worthwhile sanity checks to try before starting any persistent run.

func (*Renewer) ForceCheckSoon added in v0.1.4

func (r *Renewer) ForceCheckSoon(full bool)

Interrupt the current sleep, force a sweep soon.

func (*Renewer) LogAtf

func (r *Renewer) LogAtf(level uint, spec string, args ...interface{})

func (*Renewer) Logf

func (r *Renewer) Logf(spec string, args ...interface{})

func (*Renewer) NeedTimers

func (r *Renewer) NeedTimers() bool

func (*Renewer) OneShot

func (r *Renewer) OneShot() error

OneShot does a sweep of all candidates and renews if appropriate. Appropriateness is a combination of "immediate" and timers.

func (*Renewer) RegisterFutureCheck

func (r *Renewer) RegisterFutureCheck(path string, checkTime time.Time)

func (*Renewer) SetImmediate

func (r *Renewer) SetImmediate(i bool) error

func (*Renewer) SetLogLevel

func (r *Renewer) SetLogLevel(lvl uint)

func (*Renewer) SetNotReally

func (r *Renewer) SetNotReally(nr bool)

func (*Renewer) Start

func (r *Renewer) Start() (status bool)

Start creates a persisting process which keeps renewing all OCSP staples forever. It exits with a bool which indicates whether exit was expected or not. The HTTP interface might in future provide a means to request a clean expected exit.

type RevokedError

type RevokedError struct {
	Cert      *x509.Certificate
	RevokedAt time.Time

func (RevokedError) Error

func (re RevokedError) Error() string

type UnknownAtCAError

type UnknownAtCAError struct {
	Cert *x509.Certificate
	URL  string

func (UnknownAtCAError) Error

func (uace UnknownAtCAError) Error() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL