fix: regenerate TLS cert when services change (hot-reload via ArcSwap)

HTTPS proxy certs were generated once at startup. Services added at runtime via API or LAN discovery got "not secure" in the browser because their SAN wasn't in the cert. Now the cert is regenerated on every service add/remove and swapped atomically via ArcSwap. In-flight connections are unaffected. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 16:14:06 +02:00
parent fe784addd2
commit 1ae2e23bb6
9 changed files with 108 additions and 35 deletions
--- a/src/tls.rs
+++ b/src/tls.rs
@@ -1,7 +1,10 @@
+use std::collections::HashSet;
 use std::path::Path;
 use std::sync::Arc;

 use log::{info, warn};
+
+use crate::ctx::ServerCtx;
 use rcgen::{BasicConstraints, CertificateParams, DnType, IsCa, KeyPair, KeyUsagePurpose, SanType};
 use rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
 use rustls::ServerConfig;
@@ -10,6 +13,26 @@ use time::{Duration, OffsetDateTime};
 const CA_VALIDITY_DAYS: i64 = 3650; // 10 years
 const CERT_VALIDITY_DAYS: i64 = 365; // 1 year

+/// Collect all service + LAN peer names and regenerate the TLS cert.
+pub fn regenerate_tls(ctx: &ServerCtx) {
+    let tls = match &ctx.tls_config {
+        Some(t) => t,
+        None => return,
+    };
+
+    let mut names: HashSet<String> = ctx.services.lock().unwrap().names().into_iter().collect();
+    names.extend(ctx.lan_peers.lock().unwrap().names());
+    let names: Vec<String> = names.into_iter().collect();
+
+    match build_tls_config(&ctx.proxy_tld, &names) {
+        Ok(new_config) => {
+            tls.store(new_config);
+            info!("TLS cert regenerated for {} services", names.len());
+        }
+        Err(e) => warn!("TLS regeneration failed: {}", e),
+    }
+}
+
 /// Build a TLS config with a cert covering all provided service names.
 /// Wildcards under single-label TLDs (*.numa) are rejected by browsers,
 /// so we list each service explicitly as a SAN.