https: Refuse start only if renewal fails on expired cert (closes #642)

2024-11-29 12:16:16 +08:00 · 2016-03-02 11:34:39 -07:00 · 2016-03-02 11:34:39 -07:00 · 36b440c04b
commit 36b440c04b
parent 2a46f2a14e
1 changed files with 7 additions and 2 deletions
--- a/caddy/https/maintain.go
+++ b/caddy/https/maintain.go
@ -89,8 +89,13 @@ func renewManagedCertificates(allowPrompts bool) (err error) {

 			err := client.Renew(cert.Names[0]) // managed certs better have only one name
 			if err != nil {
-				if client.AllowPrompts {
-					// User is present, so stop immediately and report the error
+				if client.AllowPrompts && timeLeft < 0 {
+					// Certificate renewal failed, the operator is present, and the certificate
+					// is already expired; we should stop immediately and return the error. Note
+					// that we used to do this any time a renewal failed at startup. However,
+					// after discussion in https://github.com/mholt/caddy/issues/642 we decided to
+					// only stop startup if the certificate is expired. We still log the error
+					// otherwise.
 					certCacheMu.RUnlock()
 					return err
 				}