I'm building currently a service that uses acme/autocert. To use that service with more than 1 replicas, I had to write a persistent cache interface like DirCache. Then I noticed, that after restarting the service all valid certs in the Cache got ignored on the startup. The following sequence happens all the time:
- Cache put acme_account+key (even if it exists in the cache)
- Cache get acme_account+key
- Cache get my.domain.net (it returns the cached cert)
- Cache get acme_account+key
- Cache put my.domain.net+token
- Cache put HASH+http-01
- Cache delete HASH+http-01
- Cache delete my.domain.net+token
- Cache put my.domain.net (put the new cert)
Is this the correct behavior? Because every replica would create its own cert and a persistent Cache is not possible with this circumstances
Here is my manager factory
func NewManager(d *db.DynamoDB, staging bool) *Manager {
manager := &Manager{
CertCache: NewPersistentCertCache(d),
}
directoryURL := acme.LetsEncryptURL
if staging {
directoryURL = LetsEncryptStagingURL
log.Infof("Using CA staging environment")
}
log.Infof("CA URI %s", directoryURL)
client := &acme.Client{
DirectoryURL: directoryURL,
}
manager.AcmeManager = &autocert.Manager{
Prompt: autocert.AcceptTOS,
HostPolicy: manager.AllowHostPolicy,
Cache: manager.CertCache,
Client: client,
}
return manager
}
