clear ssl certs & restart server when "no certificates" is selected

j-chmielewski · j-chmielewski · commit dd73b318c68b · 2026-04-07T12:19:44.000+02:00
diff --git a/proto b/proto
@@ -1 +1 @@
-Subproject commit 0e247a24c3ae78052501dd052af4b73ab8f1e368
+Subproject commit 9f9038033683b3f07dde88f2fa4e8f7e4a4e9bf9
diff --git a/src/grpc.rs b/src/grpc.rs
@@ -56,6 +56,7 @@ pub(crate) struct ProxyServer {
     cert_dir: PathBuf,
     reset_tx: broadcast::Sender<()>,
     https_cert_tx: broadcast::Sender<(String, String)>,
+    clear_https_tx: broadcast::Sender<()>,
     /// `Some` only when the main HTTP server is bound to port 80.
     /// Used to hand off port 80 gracefully during ACME HTTP-01 challenges.
     port80_pause_tx: Option<mpsc::Sender<(oneshot::Sender<()>, oneshot::Receiver<()>)>>,
@@ -73,6 +74,7 @@ impl ProxyServer {
         cert_dir: PathBuf,
         reset_tx: broadcast::Sender<()>,
         https_cert_tx: broadcast::Sender<(String, String)>,
+        clear_https_tx: broadcast::Sender<()>,
         port80_pause_tx: Option<mpsc::Sender<(oneshot::Sender<()>, oneshot::Receiver<()>)>>,
         logs_rx: LogsReceiver,
         acme_staging: bool,
@@ -88,6 +90,7 @@ impl ProxyServer {
             cert_dir,
             reset_tx,
             https_cert_tx,
+            clear_https_tx,
             port80_pause_tx,
             logs_rx,
             acme_staging,
@@ -213,6 +216,7 @@ impl Clone for ProxyServer {
             cert_dir: self.cert_dir.clone(),
             reset_tx: self.reset_tx.clone(),
             https_cert_tx: self.https_cert_tx.clone(),
+            clear_https_tx: self.clear_https_tx.clone(),
             port80_pause_tx: self.port80_pause_tx.clone(),
             logs_rx: Arc::clone(&self.logs_rx),
             acme_staging: self.acme_staging,
@@ -267,6 +271,7 @@ impl proxy_server::Proxy for ProxyServer {
         let connected = Arc::clone(&self.connected);
         let cookie_key = Arc::clone(&self.cookie_key);
         let https_cert_tx = self.https_cert_tx.clone();
+        let clear_https_tx = self.clear_https_tx.clone();
         tokio::spawn(
             async move {
                 let mut stream = request.into_inner();
@@ -292,6 +297,12 @@ impl proxy_server::Proxy for ProxyServer {
                                             );
                                         }
                                     }
+                                    core_response::Payload::ClearHttpsCerts(_) => {
+                                        info!("Received ClearHttpsCerts from Core");
+                                        if let Err(err) = clear_https_tx.send(()) {
+                                            error!("Failed to broadcast ClearHttpsCerts: {err}");
+                                        }
+                                    }
                                     other => {
                                         let maybe_rx = results.write().expect("Failed to acquire lock on results hashmap when processing response").remove(&response.id);
                                         if let Some(rx) = maybe_rx {
diff --git a/src/http.rs b/src/http.rs
@@ -316,6 +316,7 @@ pub async fn run_server(
     let cookie_key = Arc::default();
     let (reset_tx, mut reset_rx) = tokio::sync::broadcast::channel(1);
     let (https_cert_tx, https_cert_rx) = broadcast::channel::<(String, String)>(1);
+    let (clear_https_tx, clear_https_rx) = broadcast::channel::<()>(1);
 
     // When the main HTTP server is on port 80, create a channel so the ACME task can request
     // a graceful hand-off of port 80 before binding its temporary challenge listener.
@@ -337,6 +338,7 @@ pub async fn run_server(
         env_config.cert_dir.clone(),
         reset_tx,
         https_cert_tx,
+        clear_https_tx,
         port80_pause_tx,
         Arc::clone(&logs_rx),
         env_config.acme_staging,
@@ -516,6 +518,7 @@ pub async fn run_server(
         );
         let mut current_tls: Option<(String, String)> = None;
         let mut https_cert_rx = https_cert_rx;
+        let mut clear_https_rx = clear_https_rx;
         let mut port80_pause_rx = port80_pause_rx;
 
         loop {
@@ -571,6 +574,23 @@ pub async fn run_server(
                         }
                     }
                 }
+                result = clear_https_rx.recv() => {
+                    match result {
+                        Ok(()) => {
+                            info!("Received ClearHttpsCerts, restarting web server without TLS");
+                            current_tls = None;
+                            handle.graceful_shutdown(Some(Duration::from_secs(30)));
+                            let _ = server_task.await;
+                        }
+                        Err(broadcast::error::RecvError::Lagged(_)) => {
+                            warn!("Missed ClearHttpsCerts update; will apply next one");
+                        }
+                        Err(broadcast::error::RecvError::Closed) => {
+                            error!("ClearHttpsCerts channel closed unexpectedly");
+                            break;
+                        }
+                    }
+                }
                 // An ACME task needs port 80: gracefully stop the current HTTP server,
                 // signal the task that port 80 is free, wait until it's done, then let
                 // the loop restart the server.
