acme

package

v0.67.3 Latest Latest Go to latest Published: Apr 2, 2026 License: BSD-3-Clause, AGPL-3.0 Imports: 25 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/netbirdio/netbird

Links

Open Source Insights

Documentation ¶

Index ¶

type CertLockMethod
type Manager
- func NewManager(cfg ManagerConfig, notifier certificateNotifier, logger *log.Logger, ...) (*Manager, error)
type ManagerConfig

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type CertLockMethod ¶

type CertLockMethod string

CertLockMethod controls how ACME certificate locks are coordinated.

const (
	// CertLockAuto detects the environment and selects k8s-lease if running
	// in a Kubernetes pod, otherwise flock.
	CertLockAuto CertLockMethod = "auto"
	// CertLockFlock uses advisory file locks via flock(2).
	CertLockFlock CertLockMethod = "flock"
	// CertLockK8sLease uses Kubernetes coordination Leases.
	CertLockK8sLease CertLockMethod = "k8s-lease"
)

type Manager ¶

type Manager struct {
	*autocert.Manager
	// contains filtered or unexported fields
}

Manager wraps autocert.Manager with domain tracking and cross-replica coordination via a pluggable locking strategy. The locker prevents duplicate ACME requests when multiple replicas share a certificate cache.

func NewManager ¶

func NewManager(cfg ManagerConfig, notifier certificateNotifier, logger *log.Logger, metrics metricsRecorder) (*Manager, error)

NewManager creates a new ACME certificate manager.

func (*Manager) AddDomain ¶

func (mgr *Manager) AddDomain(d domain.Domain, accountID types.AccountID, serviceID types.ServiceID) (wildcardHit bool)

AddDomain registers a domain for certificate management. Domains that match a loaded wildcard are marked ready immediately (they use the static wildcard certificate) and the method returns true. All other domains go through ACME prefetch and the method returns false.

When AddDomain returns true the caller is responsible for sending any certificate-ready notifications after the surrounding operation (e.g. mapping update) has committed successfully.

func (*Manager) FailedDomains ¶

func (mgr *Manager) FailedDomains() map[string]string

FailedDomains returns domain names that failed certificate prefetch, mapped to their error.

func (*Manager) GetCertificate ¶ added in v0.67.0

func (mgr *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error)

GetCertificate returns the TLS certificate for the given ClientHello. If the requested domain matches a loaded wildcard, the static wildcard certificate is returned. Otherwise, the ACME autocert manager handles the request.

func (*Manager) PendingCerts ¶

func (mgr *Manager) PendingCerts() int

PendingCerts returns the number of certificates currently being prefetched.

func (*Manager) PendingDomains ¶

func (mgr *Manager) PendingDomains() []string

PendingDomains returns the domain names currently being prefetched.

func (*Manager) ReadyDomains ¶

func (mgr *Manager) ReadyDomains() []string

ReadyDomains returns domain names that have successfully obtained certificates.

func (*Manager) RemoveDomain ¶

func (mgr *Manager) RemoveDomain(d domain.Domain)

RemoveDomain removes a domain from tracking.

func (*Manager) TotalDomains ¶

func (mgr *Manager) TotalDomains() int

TotalDomains returns the total number of registered domains.

func (*Manager) WatchWildcards ¶ added in v0.67.0

func (mgr *Manager) WatchWildcards(ctx context.Context)

WatchWildcards starts watching all wildcard certificate files for changes. It blocks until ctx is cancelled. It is a no-op if no wildcards are loaded.

func (*Manager) WildcardPatterns ¶ added in v0.67.0

func (mgr *Manager) WildcardPatterns() []string

WildcardPatterns returns the wildcard patterns that are currently loaded.

type ManagerConfig ¶ added in v0.67.0

type ManagerConfig struct {
	// CertDir is the directory used for caching ACME certificates.
	CertDir string
	// ACMEURL is the ACME directory URL (e.g. Let's Encrypt).
	ACMEURL string
	// EABKID and EABHMACKey are optional External Account Binding credentials
	// required by some CAs (e.g. ZeroSSL). EABHMACKey is the base64
	// URL-encoded string provided by the CA.
	EABKID     string
	EABHMACKey string
	// LockMethod controls the cross-replica coordination strategy.
	LockMethod CertLockMethod
	// WildcardDir is an optional path to a directory containing wildcard
	// certificate pairs (<name>.crt / <name>.key). Wildcard patterns are
	// extracted from the certificates' SAN lists. Domains matching a
	// wildcard are served from disk; all others go through ACME.
	WildcardDir string
}

ManagerConfig holds the configuration values for the ACME certificate manager.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL