Fix a couple of race conditions in the renewal of certificates.

4 years ago · 3d6a18180e
parent df60fe3f0d
commit 3d6a18180e
2 changed files with 3 additions and 1 deletions
--- a/ca/mutable_tls_config.go
+++ b/ca/mutable_tls_config.go
@ -40,7 +40,7 @@ func (c *mutableTLSConfig) Init(base *tls.Config) {
 // tls.Config GetConfigForClient.
 func (c *mutableTLSConfig) TLSConfig() (config *tls.Config) {
 	c.RLock()
-	config = c.config
+	config = c.config.Clone()
 	c.RUnlock()
 	return
 }
--- a/ca/renew.go
+++ b/ca/renew.go
@ -80,7 +80,9 @@ func NewTLSRenewer(cert *tls.Certificate, fn RenewFunc, opts ...tlsRenewerOption
 func (r *TLSRenewer) Run() {
 	cert := r.getCertificate()
 	next := r.nextRenewDuration(cert.Leaf.NotAfter)
+	r.Lock()
 	r.timer = time.AfterFunc(next, r.renewCertificate)
+	r.Unlock()
 }

 // RunContext starts the certificate renewer for the given certificate.