BREAKING CHANGE(smart-proxy): move certificate persistence to an in-memory store and introduce consumer-managed certStore API; add default self-signed fallback cert and change ACME account handling

2026-02-13 16:32:02 +00:00
parent e0af82c1ef
commit 0e058594c9
17 changed files with 296 additions and 397 deletions
--- a/rust/crates/rustproxy/src/lib.rs
+++ b/rust/crates/rustproxy/src/lib.rs
@@ -184,15 +184,12 @@ impl RustProxy {
            return None;
        }

-        let store_path = acme.certificate_store
-            .as_deref()
-            .unwrap_or("./certs");
        let email = acme.email.clone()
            .or_else(|| acme.account_email.clone());
        let use_production = acme.use_production.unwrap_or(false);
        let renew_before_days = acme.renew_threshold_days.unwrap_or(30);

-        let store = CertStore::new(store_path);
+        let store = CertStore::new();
        Some(CertManager::new(store, email, use_production, renew_before_days))
    }

@@ -222,19 +219,6 @@ impl RustProxy {

        info!("Starting RustProxy...");

-        // Load persisted certificates
-        if let Some(ref cm) = self.cert_manager {
-            let mut cm = cm.lock().await;
-            match cm.load_all() {
-                Ok(count) => {
-                    if count > 0 {
-                        info!("Loaded {} persisted certificates", count);
-                    }
-                }
-                Err(e) => warn!("Failed to load persisted certificates: {}", e),
-            }
-        }
-
        // Auto-provision certificates for routes with certificate: 'auto'
        self.auto_provision_certificates().await;

@@ -396,9 +380,7 @@ impl RustProxy {
                        };

                        let mut cm = cm_arc.lock().await;
-                        if let Err(e) = cm.load_static(domain.clone(), bundle) {
-                            error!("Failed to store certificate for {}: {}", domain, e);
-                        }
+                        cm.load_static(domain.clone(), bundle);

                        info!("Certificate provisioned for {}", domain);
                    }
@@ -775,8 +757,7 @@ impl RustProxy {
            };

            let mut cm = cm_arc.lock().await;
-            cm.load_static(domain.to_string(), bundle)
-                .map_err(|e| anyhow::anyhow!("Failed to store certificate: {}", e))?;
+            cm.load_static(domain.to_string(), bundle);
        }

        // Hot-swap TLS config on the listener