Skip to content

Store CertificateResource as one unit #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
philippta merged 23 commits into from
Dec 18, 2025
Merged

Store CertificateResource as one unit #3

philippta merged 23 commits into from
Dec 18, 2025

Conversation

@philippta
Copy link

@philippta philippta commented Nov 26, 2025
edited
Loading

How certmagic currently stores certs

In certmagic, a certificate consists of three different entities:

  • Certificate (.crt)
  • Private key (.key)
  • Meta data (issuer and renewal details) (.json)

These entities are stored and retrieved individually using the .Load() and .Store() functions, when obtaining or renewing a cert.

Problem

The current implementation has two important problems:

  • Storing and loading certificates and private keys are non-atomic operations, causing this issue:
  • Failing to store one entitiy can cause other entiries to be deleted.

    • certmagic/storage.go

      Lines 193 to 205 in 20b57b0

      // storeTx stores all the values or none at all.
      func storeTx(ctx context.Context, s Storage, all []keyValue) error {
      for i, kv := range all {
      err := s.Store(ctx, kv.key, kv.value)
      if err != nil {
      for j := i - 1; j >= 0; j-- {
      s.Delete(ctx, all[j].key)
      }
      return err
      }
      }
      return nil
      }

Solution

This change adresses the issue by storing all three entities as a single certificate bundle (.bundle).

As we're operating on a database with live certificates, this change also introduces the concept of a storage mode, that allows for seemless migration from the old to the new storage format:

const (
	// Storage mode controls the format in which certificates are stored in `Storage`.
	//
	// Formats:
	// - legacy: Store cert, privkey and meta as three separate storage items (.cert, .key, .json).
	// - bundle: Store cert, privkey and meta as a single, bundled storage item (.bundle).
	//
	// Modes:
	// - legacy:     Store and load certificates in legacy format.
	// - transition: Store and load certificates in legacy and bundle format.
	// - bundle:     Store and load certificates in bundle format.
	//
	// In the transition mode, failures around reads and writes of the bundle are soft.
	// They should only log errors and try to work with the legacy format as fallback.
	// Operations on the legacy format are hard-failures, implying that errors should be propagated up.
	//
	// The storage mode is controlled via the CERTMAGIC_STORAGE_MODE environment variable
	StorageModeEnv = "CERTMAGIC_STORAGE_MODE"

	StorageModeLegacy     = "legacy"
	StorageModeTransition = "transition"
	StorageModeBundle     = "bundle"
)

REVIEW DISCLAIMER

I did not try to be smart about the alternate storage implementation:

  • Most of the functions that interacted with Storage have been duplicated and updated.
  • For all those function, a feature flag switch was added.
  • I refrained from abstracting the storage logic further.
  • With that we can still integrate any upstream changes from certmagic easily.
  • This leaves also us the easy option of removing all ...Legacy functions after a full switch.

This is pretty much the calling sequence for all functions that do storage things:

// ---------------------------
// BEFORE
// ---------------------------
func storeCertResource(...) {
    // store crt, key, meta
}
// ---------------------------
// AFTER
// ---------------------------
func storeCertResource(...) { // keeps the original function signature
    switch storageMode {
    case "legacy": 
        storeCertResourceLegacy(...)

    case "transition":
        storeCertResourceLegacy(...)
        storeCertResourceBundle(...)

    case "bundle":
        storeCertResourceBundle(...)
    }
}

func storeCertResourceLegacy(...) { // the original unmodified function
    // store crt, key, meta
}

func storeCertResourceLegacy(...) { // the original function but with bundle format
    // store bundle
}

@philippta philippta force-pushed the feature/cert-storage branch from aadbadb to 85ab379 Compare December 2, 2025 12:06
@philippta philippta changed the title Implement CertificateResourceStorage as an atomic certificate storage Store CertificateResource as one unit Dec 2, 2025
ErikBooijFR
ErikBooijFR approved these changes Dec 9, 2025
View reviewed changes
Copy link

@ErikBooijFR ErikBooijFR left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I love it, I have very high hopes for this change. Some nits mostly

philippta and others added 3 commits December 9, 2025 12:38
@philippta @ErikBooijFR
Update certmagic.go
70470a4 
Co-authored-by: ErikBooijFR <erik@framer.com>
@philippta @ErikBooijFR
Update config.go
c1ec40a 
Co-authored-by: ErikBooijFR <erik@framer.com>
@philippta
Simplify test setup
c4a7cbb
@philippta philippta marked this pull request as ready for review December 9, 2025 13:23
cursor[bot]
cursor bot reviewed Dec 9, 2025
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment @cursor review or bugbot run to trigger another review on this PR

@philippta
Copy link
Author

philippta commented Dec 10, 2025

@cursor review

cursor[bot]
cursor bot reviewed Dec 10, 2025
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment @cursor review or bugbot run to trigger another review on this PR

@philippta
Copy link
Author

philippta commented Dec 11, 2025

@cursor review

ankon
ankon reviewed Dec 18, 2025
View reviewed changes
ankon
ankon reviewed Dec 18, 2025
View reviewed changes
crypto.go

// saveCertResource saves the certificate resource to disk. This
// saveCertResource saves the certificate resource to disk.
// It switches storage modes between legacy and bundle mode based on the CERTMAGIC_STORAGE_MODE env.
Copy link
Collaborator

@ankon ankon Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it make sense to document that everywhere? There's just a good chance this is noise and will be missed on cleanup, and it's not really where you'd search for this documentation -- rather, it appears once on the package, and maybe with a hint on the variable.

(My two cents, YMMV, etc)

Copy link
Author

@philippta philippta Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added them to the other functions. I guess during a cleanup, when we remove StorageModeEnv, the compiler will shout the spots we've missed.

ankon
ankon reviewed Dec 18, 2025
View reviewed changes
crypto.go
}

// saveCertResourceLegacy saves the certificate resource to disk. This
// includes the certificate file itself, the private key, and the
Copy link
Collaborator

@ankon ankon Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sentence lost the initial This :)

ankon
ankon approved these changes Dec 18, 2025
View reviewed changes
Copy link
Collaborator

@ankon ankon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like, a lot!

(I trust the process and that indeed you copy-pasted everything :D)

@philippta philippta merged commit e72e24f into master Dec 18, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@ErikBooijFR ErikBooijFR ErikBooijFR approved these changes

@ankon ankon ankon approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@philippta @ankon @ErikBooijFR