feat: server support write cache to file

Author: LDLDL

exec/server/main.go

@@ -99,6 +99,10 @@ func init() {
 	if err := server.InitACMEAccount(); err != nil {
 		log.Fatalf("[ERR] Failed init ACME account: %s", err)
 	}
+
+	if err := server.InitCache(); err != nil {
+		log.Fatalf("[ERR] Failed init server cache: %s", err)
+	}
 }
 
 func serveHttps() {
@@ -109,7 +113,7 @@ func serveHttps() {
 
 	for {
 		cert := entry.Cert()
-		certificate, err := tls.X509KeyPair(cert.Cert, cert.Key)
+		certificate, err := tls.X509KeyPair(cert.FullChain, cert.Key)
 		if err != nil {
 			log.Fatalf("[ERR] Failed to load cert: %s", err)
 		}

pkg/client/client.go

@@ -82,19 +82,19 @@ func (r *CertDXClientDaemon) requestCert(domains []string) *types.HttpCertResp {
 	return nil
 }
 
-func (r *CertDXClientDaemon) certWatchDog(cert config.ClientCertification, onChanged ...func(cert, key []byte, c *config.ClientCertification)) {
-	var currentCert, currentKey []byte
+func (r *CertDXClientDaemon) certWatchDog(cert config.ClientCertification, onChanged ...func(fullchain, key []byte, c *config.ClientCertification)) {
+	var currentFullChain, currentKey []byte
 	sleepTime := 1 * time.Hour // default sleep time
 	for {
 		log.Printf("[INF] Request cert %v", cert.Domains)
 		resp := r.requestCert(cert.Domains)
 		if resp != nil {
 			sleepTime = resp.RenewTimeLeft / 4
-			if !bytes.Equal(currentCert, resp.Cert) || !bytes.Equal(currentKey, resp.Key) {
+			if !bytes.Equal(currentFullChain, resp.FullChain) || !bytes.Equal(currentKey, resp.Key) {
 				log.Printf("[INF] Notify cert %v changed", cert.Domains)
-				currentCert, currentKey = resp.Cert, resp.Key
+				currentFullChain, currentKey = resp.FullChain, resp.Key
 				for _, handleFunc := range onChanged {
-					handleFunc(resp.Cert, resp.Key, &cert)
+					handleFunc(resp.FullChain, resp.Key, &cert)
 				}
 			} else {
 				log.Printf("[INF] Cert %v not changed", cert.Domains)
@@ -105,10 +105,10 @@ func (r *CertDXClientDaemon) certWatchDog(cert config.ClientCertification, onCha
 	}
 }
 
-func writeCertAndDoCommand(cert, key []byte, c *config.ClientCertification) {
+func writeCertAndDoCommand(fullchain, key []byte, c *config.ClientCertification) {
 	var doCommand, ce, ke bool
 
-	certPath, keyPath := c.GetCertAndKeyPath()
+	certPath, keyPath := c.GetFullChainAndKeyPath()
 	ce, err := checkFileAndCreate(certPath)
 	if err != nil {
 		goto ERR
@@ -120,7 +120,7 @@ func writeCertAndDoCommand(cert, key []byte, c *config.ClientCertification) {
 	// if cert file is firstly created, don't do reload command
 	doCommand = ce && ke
 
-	err = os.WriteFile(certPath, cert, 0o777)
+	err = os.WriteFile(certPath, fullchain, 0o777)
 	if err != nil {
 		goto ERR
 	}

pkg/config/config.go

@@ -99,8 +99,8 @@ type ClientCertification struct {
 	ReloadCommand string   `toml:"reloadCommand" json:"reload_command,omitempty"`
 }
 
-func (c *ClientCertification) GetCertAndKeyPath() (cert, key string) {
-	cert = path.Join(c.SavePath, fmt.Sprintf("%s.pem", c.Name))
+func (c *ClientCertification) GetFullChainAndKeyPath() (fullchain, key string) {
+	fullchain = path.Join(c.SavePath, fmt.Sprintf("%s.pem", c.Name))
 	key = path.Join(c.SavePath, fmt.Sprintf("%s.key", c.Name))
 	return
 }

pkg/server/acme.go

@@ -12,7 +12,6 @@ import (
 	"encoding/pem"
 	"fmt"
 	"os"
-	"path"
 	"strings"
 	"time"
 
@@ -93,24 +92,6 @@ func (u *MyUser) GetPrivateKey() crypto.PrivateKey {
 	return u.Key
 }
 
-func getPrivateKeySavePath(email string, ACMEProvider string) (string, error) {
-	saveDir, err := os.Getwd()
-	if err != nil {
-		return "", err
-	}
-	saveDir = path.Join(saveDir, "private")
-	keyName := fmt.Sprintf("%s_%s.key", email, ACMEProvider)
-
-	if _, err := os.Stat(saveDir); os.IsNotExist(err) {
-		err := os.Mkdir(saveDir, 0o600)
-		if err != nil {
-			return "", fmt.Errorf("cannot create path: %s to save account key", saveDir)
-		}
-	}
-
-	return path.Join(saveDir, keyName), nil
-}
-
 func RegisterAccount(ACMEProvider, Email, Kid, Hmac string) error {
 	keyPath, err := getPrivateKeySavePath(Email, ACMEProvider)
 	if err != nil {

pkg/server/http.go

@@ -69,7 +69,7 @@ func handleCertReq(w *http.ResponseWriter, r *http.Request) {
 	cert = cachedCert.Cert()
 	resp, err = json.Marshal(&types.HttpCertResp{
 		RenewTimeLeft: Config.ACME.RenewTimeLeftDuration,
-		Cert:          cert.Cert,
+		FullChain:     cert.FullChain,
 		Key:           cert.Key,
 	})
 	if err != nil {
@@ -78,7 +78,7 @@ func handleCertReq(w *http.ResponseWriter, r *http.Request) {
 
 	(*w).Header().Set("Content-Type", "application/json")
 	(*w).Write(resp)
-	log.Printf("[INF] Http sent cert: %v to: %s", cachedCert.Domains, r.RemoteAddr)
+	log.Printf("[INF] Http sent cert: %v to: %s", cachedCert.domains, r.RemoteAddr)
 	return
 
 ERR:

pkg/server/path.go

@@ -0,0 +1,39 @@
+package server
+
+import (
+	"fmt"
+	"os"
+	"path"
+)
+
+func getPrivateKeySavePath(email string, ACMEProvider string) (string, error) {
+	saveDir, err := os.Getwd()
+	if err != nil {
+		return "", err
+	}
+	saveDir = path.Join(saveDir, "private")
+	keyName := fmt.Sprintf("%s_%s.key", email, ACMEProvider)
+
+	if _, err := os.Stat(saveDir); os.IsNotExist(err) {
+		err := os.Mkdir(saveDir, 0o600)
+		if err != nil {
+			return "", fmt.Errorf("cannot create path: %s to save account key", saveDir)
+		}
+	}
+
+	return path.Join(saveDir, keyName), nil
+}
+
+func getCacheSavePath() (cachePath string, exist bool) {
+	saveDir, err := os.Getwd()
+	if err != nil {
+		return "", false
+	}
+
+	cacheFile := path.Join(saveDir, "cache.json")
+	if _, err := os.Stat(cacheFile); os.IsNotExist(err) {
+		return cacheFile, false
+	}
+
+	return cacheFile, true
+}

pkg/server/server.go

@@ -1,51 +1,139 @@
 package server
 
 import (
+	"encoding/json"
+	"fmt"
 	"log"
-	"pkg.para.party/certdx/pkg/config"
-	"pkg.para.party/certdx/pkg/utils"
+	"os"
 	"slices"
 	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
+
+	"pkg.para.party/certdx/pkg/config"
+	"pkg.para.party/certdx/pkg/utils"
 )
 
 type CertT struct {
-	Cert, Key   []byte
-	ValidBefore time.Time
+	FullChain   []byte    `json:"fullChain"`
+	Key         []byte    `json:"key"`
+	ValidBefore time.Time `json:"validBefore"`
 }
 
-type ServerCertCacheEntry struct {
-	Domains []string
+type ServerCacheFileEntry struct {
+	Domains []string `json:"domains"`
+	Cert    CertT    `json:"cert"`
+}
 
-	cert  CertT
-	Mutex sync.Mutex
+type ServerCertCacheEntry struct {
+	domains []string
+	cert    CertT
+	mutex   sync.Mutex
 
 	Listening atomic.Bool
 	Updated   atomic.Pointer[chan struct{}]
 	Stop      atomic.Pointer[chan struct{}]
 }
 
 type ServerCertCacheT struct {
-	entrys []*ServerCertCacheEntry
-	mutex  sync.Mutex
+	entrys  []*ServerCertCacheEntry
+	mutex   sync.Mutex
+	updated atomic.Pointer[chan struct{}]
 }
 
 var ServerCertCache = &ServerCertCacheT{}
 var Config = &config.ServerConfigT{}
 
+func InitCache() error {
+	updated := make(chan struct{})
+	ServerCertCache.updated.Store(&updated)
+
+	if err := loadCacheFile(); err != nil {
+		return err
+	}
+
+	go func() {
+		for {
+			<-*ServerCertCache.updated.Load()
+			log.Printf("[INF] Write domains cache to file")
+
+			if err := writeCacheFile(); err != nil {
+				log.Printf("[WRN] Write domains cache to file failed: %s", err)
+			}
+		}
+	}()
+
+	return nil
+}
+
+func loadCacheFile() error {
+	cachePath, exist := getCacheSavePath()
+	if !exist {
+		return nil
+	}
+
+	cfile, err := os.ReadFile(cachePath)
+	if err != nil {
+		return fmt.Errorf("open cache file failed: %w", err)
+	}
+
+	var caches []ServerCacheFileEntry
+	err = json.Unmarshal(cfile, &caches)
+	if err != nil {
+		return fmt.Errorf("unmarshal cache file failed: %w", err)
+	}
+
+	for _, cache := range caches {
+		entry := ServerCertCache.GetEntry(cache.Domains)
+		entry.mutex.Lock()
+		entry.cert = cache.Cert
+		entry.mutex.Unlock()
+	}
+
+	return nil
+}
+
+func writeCacheFile() error {
+	ServerCertCache.mutex.Lock()
+	defer ServerCertCache.mutex.Unlock()
+
+	var caches []ServerCacheFileEntry
+	for _, entry := range ServerCertCache.entrys {
+		entry.mutex.Lock()
+		cache := ServerCacheFileEntry{
+			Domains: entry.domains,
+			Cert:    entry.cert,
+		}
+		entry.mutex.Unlock()
+		caches = append(caches, cache)
+	}
+
+	jsonBytes, err := json.Marshal(caches)
+	if err != nil {
+		return fmt.Errorf("failed marshal cache file: %w", err)
+	}
+
+	cachePath, _ := getCacheSavePath()
+	err = os.WriteFile(cachePath, jsonBytes, 0o600)
+	if err != nil {
+		return fmt.Errorf("failed write cache file: %w", err)
+	}
+
+	return nil
+}
+
 func (s *ServerCertCacheT) GetEntry(domains []string) *ServerCertCacheEntry {
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 	for _, entry := range s.entrys {
-		if utils.SameCert(domains, entry.Domains) {
+		if utils.SameCert(domains, entry.domains) {
 			return entry
 		}
 	}
 
 	entry := &ServerCertCacheEntry{
-		Domains: domains,
+		domains: domains,
 	}
 	entry.Listening.Store(false)
 	updated := make(chan struct{})
@@ -57,16 +145,16 @@ func (s *ServerCertCacheT) GetEntry(domains []string) *ServerCertCacheEntry {
 }
 
 func (c *ServerCertCacheEntry) Cert() CertT {
-	c.Mutex.Lock()
-	defer c.Mutex.Unlock()
+	c.mutex.Lock()
+	defer c.mutex.Unlock()
 	return c.cert
 }
 
 func (c *ServerCertCacheEntry) Renew(retry bool) (bool, error) {
-	c.Mutex.Lock()
-	defer c.Mutex.Unlock()
+	c.mutex.Lock()
+	defer c.mutex.Unlock()
 
-	log.Printf("[INF] Renew cert: %v", c.Domains)
+	log.Printf("[INF] Renew cert: %v", c.domains)
 	if !time.Now().Before(c.cert.ValidBefore) {
 		newValidBefore := time.Now().Truncate(1 * time.Hour).Add(Config.ACME.CertLifeTimeDuration)
 
@@ -75,27 +163,29 @@ func (c *ServerCertCacheEntry) Renew(retry bool) (bool, error) {
 			return false, err
 		}
 
-		var cert, key []byte
+		var fullchain, key []byte
 		if retry {
-			cert, key, err = acme.RetryObtain(c.Domains, newValidBefore.Add(Config.ACME.RenewTimeLeftDuration))
+			fullchain, key, err = acme.RetryObtain(c.domains, newValidBefore.Add(Config.ACME.RenewTimeLeftDuration))
 		} else {
-			cert, key, err = acme.Obtain(c.Domains, newValidBefore.Add(Config.ACME.RenewTimeLeftDuration))
+			fullchain, key, err = acme.Obtain(c.domains, newValidBefore.Add(Config.ACME.RenewTimeLeftDuration))
 		}
 		if err != nil {
 			return false, err
 		}
 
 		c.cert = CertT{
 			ValidBefore: newValidBefore,
-			Cert:        cert,
+			FullChain:   fullchain,
 			Key:         key,
 		}
 
-		log.Printf("[INF] Obtained cert: %v", c.Domains)
+		log.Printf("[INF] Obtained cert: %v", c.domains)
+		newUpdated := make(chan struct{})
+		close(*ServerCertCache.updated.Swap(&newUpdated))
 		return true, nil
 	}
 
-	log.Printf("[INF] Cert: %v not expired", c.Domains)
+	log.Printf("[INF] Cert: %v not expired", c.domains)
 	return false, nil
 }
 
@@ -106,13 +196,13 @@ func (c *ServerCertCacheEntry) CertWatchDog() {
 
 	c.Listening.Store(true)
 	for {
-		log.Printf("[INF] Server renew: %v", c.Domains)
+		log.Printf("[INF] Server renew: %v", c.domains)
 		changed, err := c.Renew(true)
 		if err != nil {
-			log.Printf("[ERR] Failed renew cert %s: %s", c.Domains, err)
+			log.Printf("[ERR] Failed renew cert %s: %s", c.domains, err)
 		} else if changed {
 			newUpdated := make(chan struct{})
-			log.Printf("[INF] Notify cert %s updated", c.Domains)
+			log.Printf("[INF] Notify cert %s updated", c.domains)
 			close(*c.Updated.Swap(&newUpdated))
 		}