DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Move ocsp_response_cache:delete after certificate_data:set

Browse source
This commit is contained in:
wenzong 2020-09-19 13:09:59 +08:00
parent ff3b431654
commit 87e79da16a
1 changed files with 10 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
rootfs/etc/nginx/lua/configuration.lua
View file

@ -101,13 +101,19 @@ local function handle_servers()
end end
for uid, cert in pairs(configuration.certificates) do for uid, cert in pairs(configuration.certificates) do
-- don't delete the cache here, certificate_data[uid] is not replaced yet.
-- there is small chance that nginx worker still get the old certificate,
-- then fetch and cache the old OCSP Response
local old_cert = certificate_data:get(uid) local old_cert = certificate_data:get(uid)
if old_cert ~= nil and old_cert ~= cert then local is_renew = (old_cert ~= nil and old_cert ~= cert)
ocsp_response_cache:delete(uid)
end
local success, set_err, forcible = certificate_data:set(uid, cert) local success, set_err, forcible = certificate_data:set(uid, cert)
if not success then if success then
-- delete ocsp cache after certificate_data:set succeed
if is_renew then
ocsp_response_cache:delete(uid)
end
else
local err_msg = string.format("error setting certificate for %s: %s\n", local err_msg = string.format("error setting certificate for %s: %s\n",
uid, tostring(set_err)) uid, tostring(set_err))
table.insert(err_buf, err_msg) table.insert(err_buf, err_msg)