Deuxfleurs
/
tricot
17
3
Fork 3
Code Issues 4 Pull Requests 1 Projects Releases Wiki Activity

Warmup memory store when starting (behind a parameter) #9

Merged
quentin merged 1 commits from feat/load-certs-at-boot into main 2023-08-09 07:58:46 +00:00
Conversation 0 Commits 1 Files Changed 2 +69 -9
quentin commented 2023-08-08 16:11:59 +00:00
Owner
Copy Link

Fixes: #6

Add the ability to warmup the memory store when the proxy is started.

Trace that serves as an example

The first time we start tricot, there is no certificates in consul.
We generate one successfully:

$ sudo ./target/debug/tricot  --letsencrypt-email xxx@xxxx --http-bind-addr [::]:80 --https-bind-addr [::]:443 --warmup-cert-memory-store 1
 INFO  tricot > Starting Tricot
 ERROR tricot > An error occured while warming up the certificate memory store with Consul data, continue without caching: error decoding response body: EOF while parsing a value at line 1 column 0
 INFO  tricot::metrics > Metrics server is disabled
 INFO  tricot          > Metrics server exited
 INFO  tricot::http    > Listening on http://[::]:80
 INFO  tricot::proxy_config > Watched consul nodes: [Node { node: "lheureduthe", address: "127.0.0.1", meta: {"consul-network-segment": ""} }]
 INFO  tricot::https        > Starting to serve on https://[::]:443.
---- PROXY CONFIGURATION ----
   [::1]:8000 lheureduthe.machine.dufour.io 100

 INFO  tricot::cert_store   > (lheureduthe.machine.dufour.io) Renewing certificate
 INFO  tricot::proxy_config > Watched consul nodes: [Node { node: "lheureduthe", address: "127.0.0.1", meta: {"consul-network-segment": ""} }]
 INFO  tricot::cert_store   > (lheureduthe.machine.dufour.io) Accessibility check 1/4
 INFO  tricot::http         > HTTP request /.well-known/acme-challenge/b9b4c04d-a290-433f-bfd6-bc343e462cbb
 INFO  tricot::cert_store   > (lheureduthe.machine.dufour.io) Accessibility check successfull
 INFO  tricot::cert_store   > Creating new Let's encrypt account
 INFO  tricot::cert_store   > (lheureduthe.machine.dufour.io) Creating challenge and storing in Consul
 INFO  tricot::cert_store   > (lheureduthe.machine.dufour.io) Validating challenge
 INFO  tricot::http         > HTTP request /.well-known/acme-challenge/s941p3uPXWBrSVfgHn5kxaQy2lqoQXW2UEFtkNH3hWI
 INFO  tricot::http         > HTTP request /.well-known/acme-challenge/s941p3uPXWBrSVfgHn5kxaQy2lqoQXW2UEFtkNH3hWI
 INFO  tricot::http         > HTTP request /.well-known/acme-challenge/s941p3uPXWBrSVfgHn5kxaQy2lqoQXW2UEFtkNH3hWI
 INFO  tricot::cert_store   > (lheureduthe.machine.dufour.io) Deleting challenge
 INFO  tricot::cert_store   > (lheureduthe.machine.dufour.io) Keys and certificate obtained
 INFO  tricot::cert_store   > (lheureduthe.machine.dufour.io) Cert successfully renewed and stored
 INFO  tricot::https        > GET 200 https://lheureduthe.machine.dufour.io/
 INFO  tricot::https        > GET 404 https://lheureduthe.machine.dufour.io/favicon.ico

Note: The df-consul library has a bug when the prefix is empty and returns an error as you can note. This patch works despite the error, that should be fixed upstream.

Now we restart Tricot, it must load all the certificates contained in consul into the memory store:

$ sudo ./target/debug/tricot  --letsencrypt-email xxx@xxx --http-bind-addr [::]:80 --https-bind-addr [::]:443 --warmup-cert-memory-store 1
 INFO  tricot > Starting Tricot
 INFO  tricot::proxy_config > Watched consul nodes: [Node { node: "lheureduthe", address: "127.0.0.1", meta: {"consul-network-segment": ""} }]
 INFO  tricot::proxy_config > Watched consul nodes: [Node { node: "lheureduthe", address: "127.0.0.1", meta: {"consul-network-segment": ""} }]
 INFO  tricot::cert_store   > Memory store warmed up with 1 certificates
 INFO  tricot::metrics      > Metrics server is disabled
 INFO  tricot::http         > Listening on http://[::]:80
 INFO  tricot               > Metrics server exited
---- PROXY CONFIGURATION ----
   [::1]:8000 lheureduthe.machine.dufour.io 100

 INFO  tricot::https        > Starting to serve on https://[::]:443.
 INFO  tricot::https        > GET 200 https://lheureduthe.machine.dufour.io/
^C INFO  tricot               > Received CTRL+C, shutting down.
 INFO  tricot::https        > HTTPS server shutting down, draining remaining connections...
 ERROR tricot               > Error: rx_proxy_config closed
 INFO  tricot               > HTTP server exited
 INFO  tricot::cert_store   > Certificate renewal task exited
 WARN  tricot::https        > HTTP error: connection error: broken pipe
 INFO  tricot               > HTTPS server exited

This line: INFO tricot::cert_store > Memory store warmed up with 1 certificates tells you that the certificate has been successfully loaded.
Thanks to that, users will not see anymore a self-signed certificate when trying to access their website after a tricot restart.

Fixes: #6 Add the ability to warmup the memory store when the proxy is started. ## Trace that serves as an example The first time we start tricot, there is no certificates in consul. We generate one successfully: ``` $ sudo ./target/debug/tricot --letsencrypt-email xxx@xxxx --http-bind-addr [::]:80 --https-bind-addr [::]:443 --warmup-cert-memory-store 1 INFO tricot > Starting Tricot ERROR tricot > An error occured while warming up the certificate memory store with Consul data, continue without caching: error decoding response body: EOF while parsing a value at line 1 column 0 INFO tricot::metrics > Metrics server is disabled INFO tricot > Metrics server exited INFO tricot::http > Listening on http://[::]:80 INFO tricot::proxy_config > Watched consul nodes: [Node { node: "lheureduthe", address: "127.0.0.1", meta: {"consul-network-segment": ""} }] INFO tricot::https > Starting to serve on https://[::]:443. ---- PROXY CONFIGURATION ---- [::1]:8000 lheureduthe.machine.dufour.io 100 INFO tricot::cert_store > (lheureduthe.machine.dufour.io) Renewing certificate INFO tricot::proxy_config > Watched consul nodes: [Node { node: "lheureduthe", address: "127.0.0.1", meta: {"consul-network-segment": ""} }] INFO tricot::cert_store > (lheureduthe.machine.dufour.io) Accessibility check 1/4 INFO tricot::http > HTTP request /.well-known/acme-challenge/b9b4c04d-a290-433f-bfd6-bc343e462cbb INFO tricot::cert_store > (lheureduthe.machine.dufour.io) Accessibility check successfull INFO tricot::cert_store > Creating new Let's encrypt account INFO tricot::cert_store > (lheureduthe.machine.dufour.io) Creating challenge and storing in Consul INFO tricot::cert_store > (lheureduthe.machine.dufour.io) Validating challenge INFO tricot::http > HTTP request /.well-known/acme-challenge/s941p3uPXWBrSVfgHn5kxaQy2lqoQXW2UEFtkNH3hWI INFO tricot::http > HTTP request /.well-known/acme-challenge/s941p3uPXWBrSVfgHn5kxaQy2lqoQXW2UEFtkNH3hWI INFO tricot::http > HTTP request /.well-known/acme-challenge/s941p3uPXWBrSVfgHn5kxaQy2lqoQXW2UEFtkNH3hWI INFO tricot::cert_store > (lheureduthe.machine.dufour.io) Deleting challenge INFO tricot::cert_store > (lheureduthe.machine.dufour.io) Keys and certificate obtained INFO tricot::cert_store > (lheureduthe.machine.dufour.io) Cert successfully renewed and stored INFO tricot::https > GET 200 https://lheureduthe.machine.dufour.io/ INFO tricot::https > GET 404 https://lheureduthe.machine.dufour.io/favicon.ico ``` *Note: The df-consul library has a bug when the prefix is empty and returns an error as you can note. This patch works despite the error, that should be fixed upstream.* --- Now we restart Tricot, it must load all the certificates contained in consul into the memory store: ``` $ sudo ./target/debug/tricot --letsencrypt-email xxx@xxx --http-bind-addr [::]:80 --https-bind-addr [::]:443 --warmup-cert-memory-store 1 INFO tricot > Starting Tricot INFO tricot::proxy_config > Watched consul nodes: [Node { node: "lheureduthe", address: "127.0.0.1", meta: {"consul-network-segment": ""} }] INFO tricot::proxy_config > Watched consul nodes: [Node { node: "lheureduthe", address: "127.0.0.1", meta: {"consul-network-segment": ""} }] INFO tricot::cert_store > Memory store warmed up with 1 certificates INFO tricot::metrics > Metrics server is disabled INFO tricot::http > Listening on http://[::]:80 INFO tricot > Metrics server exited ---- PROXY CONFIGURATION ---- [::1]:8000 lheureduthe.machine.dufour.io 100 INFO tricot::https > Starting to serve on https://[::]:443. INFO tricot::https > GET 200 https://lheureduthe.machine.dufour.io/ ^C INFO tricot > Received CTRL+C, shutting down. INFO tricot::https > HTTPS server shutting down, draining remaining connections... ERROR tricot > Error: rx_proxy_config closed INFO tricot > HTTP server exited INFO tricot::cert_store > Certificate renewal task exited WARN tricot::https > HTTP error: connection error: broken pipe INFO tricot > HTTPS server exited ``` This line: `INFO tricot::cert_store > Memory store warmed up with 1 certificates` tells you that the certificate has been successfully loaded. Thanks to that, users will not see anymore a self-signed certificate when trying to access their website after a tricot restart.
quentin added 1 commit 2023-08-08 16:11:59 +00:00
continuous-integration/drone/pr Build is passing Details
continuous-integration/drone/push Build is passing Details
continuous-integration/drone/tag Build is passing Details
48a421a3b6
feat: warmup memory store when starting
quentin merged commit 48a421a3b6 into main 2023-08-09 07:58:46 +00:00
quentin deleted branch feat/load-certs-at-boot 2023-08-09 07:58:47 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Deuxfleurs/tricot#9
No description provided.
Delete Branch "feat/load-certs-at-boot"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?