https: Refuse start only if renewal fails on expired cert (closes #642)

This commit is contained in:
Matthew Holt 2016-03-02 11:34:39 -07:00
parent 2a46f2a14e
commit 36b440c04b

View File

@ -89,8 +89,13 @@ func renewManagedCertificates(allowPrompts bool) (err error) {
err := client.Renew(cert.Names[0]) // managed certs better have only one name err := client.Renew(cert.Names[0]) // managed certs better have only one name
if err != nil { if err != nil {
if client.AllowPrompts { if client.AllowPrompts && timeLeft < 0 {
// User is present, so stop immediately and report the error // Certificate renewal failed, the operator is present, and the certificate
// is already expired; we should stop immediately and return the error. Note
// that we used to do this any time a renewal failed at startup. However,
// after discussion in https://github.com/mholt/caddy/issues/642 we decided to
// only stop startup if the certificate is expired. We still log the error
// otherwise.
certCacheMu.RUnlock() certCacheMu.RUnlock()
return err return err
} }