Add a DirCache for certificates under TOR_PT_STATE_LOCATION.

This way, we don't lose state of certificates every time the process is restarted. There's a possibility, otherwise, that if you have to restart the server rapidly, you might run into Let's Encrypt rate limits and be unable to create a cert for a while. https://godoc.org/rsc.io/letsencrypt#hdr-Persistent_Storage
2025-10-13 20:11:19 -04:00 · 2017-01-21 14:10:10 -08:00 · 2017-01-21 14:10:10 -08:00 · 1f8be86a01
commit 1f8be86a01
parent b0826304a4
1 changed files with 20 additions and 0 deletions
--- a/server/server.go
+++ b/server/server.go
@ -19,6 +19,7 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
+	"path/filepath"
 	"strings"
 	"sync"
 	"syscall"
@ -216,6 +217,14 @@ func startServer(ln net.Listener) (net.Listener, error) {
 	return ln, nil
 }

+func getCertificateCacheDir() (string, error) {
+	stateDir, err := pt.MakeStateDir()
+	if err != nil {
+		return "", err
+	}
+	return filepath.Join(stateDir, "snowflake-certificate-cache"), nil
+}
+
 func main() {
 	var acmeEmail string
 	var acmeHostnamesCommas string
@ -253,10 +262,21 @@ func main() {
 	var certManager *autocert.Manager
 	if !disableTLS {
 		log.Printf("ACME hostnames: %q", acmeHostnames)
+
+		var cache autocert.Cache
+		cacheDir, err := getCertificateCacheDir()
+		if err == nil {
+			log.Printf("caching ACME certificates in directory %q", cacheDir)
+			cache = autocert.DirCache(cacheDir)
+		} else {
+			log.Printf("disabling ACME certificate cache: %s", err)
+		}
+
 		certManager = &autocert.Manager{
 			Prompt:     autocert.AcceptTOS,
 			HostPolicy: autocert.HostWhitelist(acmeHostnames...),
 			Email:      acmeEmail,
+			Cache:      cache,
 		}
 	}