From 3d6a18180e7d3acf6c036506b9f4b5771799bf56 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Fri, 24 Jan 2020 12:26:27 -0800
Subject: [PATCH] Fix a couple of race conditions in the renewal of
 certificates.

---
 ca/mutable_tls_config.go | 2 +-
 ca/renew.go              | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/ca/mutable_tls_config.go b/ca/mutable_tls_config.go
index 031a99e9..c4a1a89f 100644
--- a/ca/mutable_tls_config.go
+++ b/ca/mutable_tls_config.go
@@ -40,7 +40,7 @@ func (c *mutableTLSConfig) Init(base *tls.Config) {
 // tls.Config GetConfigForClient.
 func (c *mutableTLSConfig) TLSConfig() (config *tls.Config) {
 	c.RLock()
-	config = c.config
+	config = c.config.Clone()
 	c.RUnlock()
 	return
 }
diff --git a/ca/renew.go b/ca/renew.go
index 6a4fd22b..13f96ff7 100644
--- a/ca/renew.go
+++ b/ca/renew.go
@@ -80,7 +80,9 @@ func NewTLSRenewer(cert *tls.Certificate, fn RenewFunc, opts ...tlsRenewerOption
 func (r *TLSRenewer) Run() {
 	cert := r.getCertificate()
 	next := r.nextRenewDuration(cert.Leaf.NotAfter)
+	r.Lock()
 	r.timer = time.AfterFunc(next, r.renewCertificate)
+	r.Unlock()
 }
 
 // RunContext starts the certificate renewer for the given certificate.