Auto-renew ephemeral X.509 certificate.

If the ephemeral X.509 certificate is due for renewal in less than a
week, regenerate it automatically.

daemon/tls.c

@@ -130,11 +130,26 @@ struct tls_ctx_t *tls_new(struct worker_ctx *worker)
 	}
 
 	time_t now = time(NULL);
-	if (net->tls_credentials->valid_until != GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION &&
-	    now >= net->tls_credentials->valid_until) {
-		/* Warn once when certificate expires */
-		kr_log_error("[tls] X.509 certificate has expired!\n");
-		net->tls_credentials->valid_until = GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION;
+	if (net->tls_credentials->valid_until != GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION) {
+		if (net->tls_credentials->ephemeral_servicename) {
+			/* ephemeral cert: refresh if due to expire within a week */
+			if (now >= net->tls_credentials->valid_until - 60*60*24*7) {
+				struct tls_credentials *newcreds = tls_get_ephemeral_credentials(worker->engine);
+				if (newcreds) {
+					tls_credentials_release(net->tls_credentials);
+					net->tls_credentials = newcreds;
+					kr_log_info("[tls] Renewed expiring ephemeral X.509 cert\n");
+				} else {
+					kr_log_error("[tls] Failed to renew expiring ephemeral X.509 cert, using existing one\n");
+				}				
+			}
+		} else {
+			/* non-ephemeral cert: warn once when certificate expires */
+			if (now >= net->tls_credentials->valid_until) {
+				kr_log_error("[tls] X.509 certificate has expired!\n");
+				net->tls_credentials->valid_until = GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION;
+			}
+		}
 	}
 
 	struct tls_ctx_t *tls = calloc(1, sizeof(struct tls_ctx_t));