Merge a874bb3e4dcfafb1372c310d9d43c321872240e0 into f297bc0a04dcab6c2585b47f3672d045c4f6b54b

2025-04-16 16:19:15 +08:00 · 2025-04-15 16:59:25 -04:00 · 2025-04-15 16:59:25 -04:00 · 178e432bc9
commit 178e432bc9
parent f297bc0a04 a874bb3e4d
2 changed files with 26 additions and 17 deletions
--- a/modules/caddytls/storageloader.go
+++ b/modules/caddytls/storageloader.go
@ -72,17 +72,16 @@ func (sl *StorageLoader) Provision(ctx caddy.Context) error {
 	return nil
 }

-// LoadCertificates returns the certificates to be loaded by sl.
-func (sl StorageLoader) LoadCertificates() ([]Certificate, error) {
+func (sl StorageLoader) Initialize(updateCertificates func(add []Certificate, remove []string) error) error {
 	certs := make([]Certificate, 0, len(sl.Pairs))
 	for _, pair := range sl.Pairs {
 		certData, err := sl.storage.Load(sl.ctx, pair.Certificate)
 		if err != nil {
-			return nil, err
+			return err
 		}
 		keyData, err := sl.storage.Load(sl.ctx, pair.Key)
 		if err != nil {
-			return nil, err
+			return err
 		}

 		var cert tls.Certificate
@ -94,21 +93,21 @@ func (sl StorageLoader) LoadCertificates() ([]Certificate, error) {
 			// if the start of the key file looks like an encrypted private key,
 			// reject it with a helpful error message
 			if strings.Contains(string(keyData[:40]), "ENCRYPTED") {
-				return nil, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")
+				return fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")
 			}

 			cert, err = tls.X509KeyPair(certData, keyData)

 		default:
-			return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format)
+			return fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format)
 		}
 		if err != nil {
-			return nil, err
+			return err
 		}

 		certs = append(certs, Certificate{Certificate: cert, Tags: pair.Tags})
 	}
-	return certs, nil
+	return updateCertificates(certs, []string{})
 }

 // Interface guard
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@ -248,18 +248,14 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 		DisableStorageCheck: t.DisableStorageCheck,
 	})
 	certCacheMu.RUnlock()
+
 	for _, loader := range t.certificateLoaders {
-		certs, err := loader.LoadCertificates()
+		err := loader.Initialize(func(add []Certificate, remove []string) error {
+			return t.updateCertificates(ctx, magic, add, remove)
+		})
 		if err != nil {
 			return fmt.Errorf("loading certificates: %v", err)
 		}
-		for _, cert := range certs {
-			hash, err := magic.CacheUnmanagedTLSCertificate(ctx, cert.Certificate, cert.Tags)
-			if err != nil {
-				return fmt.Errorf("caching unmanaged certificate: %v", err)
-			}
-			t.loaded[hash] = ""
-		}
 	}

 	// on-demand permission module
@ -720,6 +716,20 @@ func (t *TLS) HasCertificateForSubject(subject string) bool {
 	return false
 }

+func (t *TLS) updateCertificates(ctx caddy.Context, magic *certmagic.Config, add []Certificate, remove []string) error {
+	for _, cert := range add {
+		hash, err := magic.CacheUnmanagedTLSCertificate(ctx, cert.Certificate, cert.Tags)
+		if err != nil {
+			return fmt.Errorf("caching unmanaged certificate: %v", err)
+		}
+		t.loaded[hash] = ""
+	}
+	certCacheMu.Lock()
+	certCache.Remove(remove)
+	certCacheMu.Unlock()
+	return nil
+}
+
 // keepStorageClean starts a goroutine that immediately cleans up all
 // known storage units if it was not recently done, and then runs the
 // operation at every tick from t.storageCleanTicker.
@ -825,7 +835,7 @@ func (t *TLS) onEvent(ctx context.Context, eventName string, data map[string]any
 // CertificateLoader is a type that can load certificates.
 // Certificates can optionally be associated with tags.
 type CertificateLoader interface {
-	LoadCertificates() ([]Certificate, error)
+	Initialize(updateCertificates func(add []Certificate, remove []string) error) error
 }

 // Certificate is a TLS certificate, optionally