diff --git a/internal/app/app.go b/internal/app/app.go index 13a95c2..05fac16 100644 --- a/internal/app/app.go +++ b/internal/app/app.go @@ -232,7 +232,7 @@ go func() { defer wg.Done() log.Infof("Starting certificate rotator with check interval: %v", cfg.CertCheckInterval) - if err := certRotator.RotateCertificates(ctx); err != nil { + if err := certRotator.RotateCertificates(ctx, cfg.WebrootPath); err != nil { log.Errorf("Certificate rotator failed: %v", err) } log.Infof("Certificate rotator shut down.") diff --git a/internal/pkg/cert/letsencrypt/renewer.go b/internal/pkg/cert/letsencrypt/renewer.go index 483cbd0..210a460 100644 --- a/internal/pkg/cert/letsencrypt/renewer.go +++ b/internal/pkg/cert/letsencrypt/renewer.go @@ -59,5 +59,8 @@ // The ACME account key and URL remain the same. AccountKey: oldCert.AccountKey, AccountURL: oldCert.AccountURL, + // The rotation strategy remains the same. + EnableRotation: oldCert.EnableRotation, + RenewBefore: oldCert.RenewBefore, }, nil } diff --git a/internal/pkg/cert/rotation/rotator.go b/internal/pkg/cert/rotation/rotator.go index b1395cc..8fb8c0c 100644 --- a/internal/pkg/cert/rotation/rotator.go +++ b/internal/pkg/cert/rotation/rotator.go @@ -3,7 +3,6 @@ import ( "context" internallog "envoy-control-plane/internal/log" - "envoy-control-plane/internal/pkg/api" "envoy-control-plane/internal/pkg/cert" certapi "envoy-control-plane/internal/pkg/cert/api" "envoy-control-plane/internal/pkg/cert/tool" @@ -57,7 +56,7 @@ } // checkAndRotateCertificate performs the parsing, renewal check, and rotation for a single certificate. -func (cr *CertRotator) checkAndRotateCertificate(ctx context.Context, c *storage.CertStorage) { +func (cr *CertRotator) checkAndRotateCertificate(ctx context.Context, webrootPath string ,c *storage.CertStorage) { log := internallog.LogFromContext(ctx) // 1. Parse the certificate @@ -106,7 +105,7 @@ log.Errorf("Failed to create certificate issuer for domain %s: %v", c.Domain, err) return } - newCert, err := certIsser.RenewCertificate(oldCert, api.ACME_CALLENGE_WEB_PATH, c.Email) + newCert, err := certIsser.RenewCertificate(oldCert, webrootPath, c.Email) if err != nil { log.Errorf("Failed to renew the certificate for domain %s: %v", c.Domain, err) return @@ -132,7 +131,7 @@ } // RotateCertificates starts a background goroutine to periodically check and renew certificates. -func (cr *CertRotator) RotateCertificates(ctx context.Context) error { +func (cr *CertRotator) RotateCertificates(ctx context.Context, webrootPath string) error { log := internallog.LogFromContext(ctx) ticker := time.NewTicker(cr.checkInterval) @@ -143,7 +142,7 @@ go func() { // Run a check immediately on startup // The rotation should be done periodically AND immediately on start to catch expiring certificates. log.Debugf("[Rotator] Performing initial certificate rotation check.") - if err := cr.runRotationCheck(ctx); err != nil { + if err := cr.runRotationCheck(ctx, webrootPath); err != nil { log.Errorf("[Rotator] Initial check failed: %v", err) } @@ -156,7 +155,7 @@ case <-ticker.C: // The ticker fired. Time to check and potentially rotate certificates. log.Debugf("[Rotator] Ticker fired. Running periodic check.") - if err := cr.runRotationCheck(ctx); err != nil { + if err := cr.runRotationCheck(ctx, webrootPath); err != nil { log.Errorf("[Rotator] Periodic check failed: %v", err) } } @@ -169,7 +168,7 @@ } // runRotationCheck is a helper that orchestrates loading and checking all certificates. -func (cr *CertRotator) runRotationCheck(ctx context.Context) error { +func (cr *CertRotator) runRotationCheck(ctx context.Context, webrootPath string) error { log := internallog.LogFromContext(ctx) certs, err := cr.loadCertificatesWithAutoRotationEnrolled(ctx) @@ -180,7 +179,7 @@ for _, c := range certs { // Run the check and rotation logic for each certificate - cr.checkAndRotateCertificate(ctx, c) + cr.checkAndRotateCertificate(ctx, webrootPath, c) } log.Debugf("[Rotator] Rotation check completed for %d certificates.", len(certs)) return nil