fix: don't reload cert manager, use only sni callback

2026-04-20 21:14:17 +02:00
parent d7bca9dc10
commit e7e8c9f141
4 changed files with 51 additions and 160 deletions
@@ -183,44 +183,23 @@ class CertManager:
            return False
        return self.__exists_certbot(host)

-    def get_https_context(self, default_host: str) -> ssl.SSLContext | None:
-        if not self.exists(default_host):
-            self.logger.warning("Cannot create HTTPS context for %s", default_host)
-            return None
-        self.logger.debug("Creating HTTP context...")
-        cert_file = self.get_cert(default_host)
-        key_file = self.get_key(default_host)
-        self.last_file_change = cert_file.stat().st_mtime
-        context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
-        context.load_cert_chain(
-            cert_file,
-            key_file,
-        )
-        context.sni_callback = self.__sni_callback
-        return context
-
-    def detect_default_cert_change(self, default_host: str) -> bool:
-        cert_file = self.get_cert(default_host)
-        if cert_file.exists() and cert_file.stat().st_mtime != self.last_file_change:
-            self.logger.debug("Detected change: %s", cert_file)
-            self.last_file_change = cert_file.stat().st_mtime
-            return True
-        return False
-
-    def __sni_callback(
+    def sni_callback(
        self, socket: ssl.SSLObject, host: str | None, _: ssl.SSLContext, /
    ) -> None | int:
        if host is None:
            return None
        if not self.exists(host) and not self.create_or_update(host):
-            msg = "Could not get certificate for %s"
-            raise CertManagerError(msg, host)
-        new_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+            return None
        cert_file = self.get_cert(host)
        key_file = self.get_key(host)
-        new_context.load_cert_chain(
-            cert_file,
-            key_file,
-        )
-        socket.context = new_context
+        try:
+            new_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+            new_context.load_cert_chain(
+                cert_file,
+                key_file,
+            )
+            socket.context = new_context
+        except Exception:
+            self.logger.exception("Could not create HTTPS context for %s", host)
+            return None
        return None