Use certificate expiry to limit caching and regenerate appropriately

Author: pimterry

src/server/http-combo-server.ts

@@ -200,8 +200,28 @@ export async function createComboServer(options: ComboServerOptions): Promise<De
                 ALPNProtocols: serverProtocolPreferences
             }
 
-        // Cache secure contexts by domain to avoid expensive re-creation on every connection
-        const secureContextCache = new Map<string, tls.SecureContext>();
+        // Cache secure contexts by domain with expiry tracking, with 1h buffer
+        const EXPIRY_BUFFER_MS = 60 * 60 * 1000;
+        const secureContextCache = new Map<string, { context: tls.SecureContext, expiresAt: Date }>();
+
+        const getSecureContext = async (domain: string): Promise<tls.SecureContext> => {
+            const cached = secureContextCache.get(domain);
+            const now = Date.now();
+
+            if (cached && cached.expiresAt.getTime() - now > EXPIRY_BUFFER_MS) {
+                return cached.context;
+            }
+
+            // Generate new cert (either not cached or expiring soon)
+            const generatedCert = await ca.generateCertificate(domain);
+            const context = tls.createSecureContext({
+                key: generatedCert.key,
+                cert: generatedCert.cert,
+                ca: generatedCert.ca
+            });
+            secureContextCache.set(domain, { context, expiresAt: generatedCert.expiresAt });
+            return context;
+        };
 
         tlsServer = tls.createServer({
             key: defaultCert.key,
@@ -213,17 +233,7 @@ export async function createComboServer(options: ComboServerOptions): Promise<De
                 if (options.debug) console.log(`Generating certificate for ${domain}`);
 
                 try {
-                    let secureContext = secureContextCache.get(domain);
-                    if (!secureContext) {
-                        const generatedCert = await ca.generateCertificate(domain);
-                        secureContext = tls.createSecureContext({
-                            key: generatedCert.key,
-                            cert: generatedCert.cert,
-                            ca: generatedCert.ca
-                        });
-                        secureContextCache.set(domain, secureContext);
-                    }
-                    cb(null, secureContext);
+                    cb(null, await getSecureContext(domain));
                 } catch (e) {
                     console.error('Cert generation error', e);
                     cb(e);

src/util/certificates.ts

@@ -54,7 +54,8 @@ export type PEM = string | string[] | Buffer | Buffer[];
 export type GeneratedCertificate = {
     key: string,
     cert: string,
-    ca: string
+    ca: string,
+    expiresAt: Date
 };
 
 const SUBJECT_NAME_MAP: { [key: string]: string } = {
@@ -311,14 +312,11 @@ export type { CA };
 class CA {
     private options: BaseCAOptions;
 
-    private certCache: { [domain: string]: GeneratedCertificate };
-
     constructor(
         private caCert: x509.X509Certificate,
         private caKey: CryptoKey,
         options?: BaseCAOptions
     ) {
-        this.certCache = {};
         this.options = options ?? {};
 
         const keyLength = this.options.keyLength || 2048;
@@ -337,9 +335,6 @@ class CA {
     }
 
     async generateCertificate(domain: string): Promise<GeneratedCertificate> {
-        // TODO: Expire domains from the cache? Based on their actual expiry?
-        if (this.certCache[domain]) return this.certCache[domain];
-
         const leafKeyPair = await KEY_PAIR!.value;
 
         if (domain.includes('_')) {
@@ -427,16 +422,16 @@ class CA {
             extensions
         });
 
-        const generatedCertificate = {
+        const generatedCertificate: GeneratedCertificate = {
             key: arrayBufferToPem(
                 await crypto.subtle.exportKey("pkcs8", leafKeyPair.privateKey as CryptoKey),
                 "PRIVATE KEY"
             ),
             cert: certificate.toString("pem"),
-            ca: this.caCert.toString("pem")
+            ca: this.caCert.toString("pem"),
+            expiresAt: notAfter
         };
 
-        this.certCache[domain] = generatedCertificate;
         return generatedCertificate;
     }
 }