Skip to content

enhance: Reload cert if 401 response from LAPI #4269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
LaurenceJJones wants to merge 1 commit into
base: master
Choose a base branch
from
Open

enhance: Reload cert if 401 response from LAPI #4269

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions pkg/apiclient/auth_jwt.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,16 @@ func (t *JWTTransport) RoundTrip(req *http.Request) (*http.Response, error) {
t.ResetToken()
}

// If we got a 401 and we're using mTLS, try to reload the certificate from disk.
// The cert may have been renewed while the old one expired in memory.
if resp.StatusCode == http.StatusUnauthorized {
if err := ReloadCertIfNeeded(t.Transport); err != nil {
log.Warnf("failed to reload client certificate: %s", err)
} else if CertPath != "" {
log.Infof("client certificate reloaded from %s", CertPath)
}
}

log.Debugf("retrying request to %s", req.URL.String())

attemptsCount[resp.StatusCode]++
Expand Down
30 changes: 30 additions & 0 deletions pkg/apiclient/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,38 @@ var (
Cert *tls.Certificate
CaCertPool *x509.CertPool
lapiClient *ApiClient

// CertPath and KeyPath store the paths to the client certificate and key files.
Copy link
Copy Markdown
Contributor Author

@LaurenceJJones LaurenceJJones Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mmetc will kill me for more global vars, but atm they are held globally and scope of PR is a quick fix rather than a re implementation.

// These are used to reload the certificate when it expires and is renewed on disk.
CertPath string
KeyPath string
)

// ReloadCertIfNeeded checks if mTLS is configured and reloads the client certificate
// from disk, updating the provided transport's TLS config.
// This is called when a 401 is received, as the cert may have been renewed on disk
// while the old one expired in memory.
func ReloadCertIfNeeded(transport http.RoundTripper) error {
// Only attempt reload if mTLS is configured with cert paths
if Cert == nil || CertPath == "" || KeyPath == "" {
return nil
}

cert, err := tls.LoadX509KeyPair(CertPath, KeyPath)
if err != nil {
return fmt.Errorf("failed to reload certificate: %w", err)
}

Cert = &cert

// Update the transport's TLS config if possible
if httpTransport, ok := transport.(*http.Transport); ok && httpTransport.TLSClientConfig != nil {
Copy link
Copy Markdown
Contributor Author

@LaurenceJJones LaurenceJJones Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might want to breakdown into happy path EG: !ok and == nil and return context errors as it may silently pass here even though we read the cert into memory

Copy link
Copy Markdown
Contributor Author

@LaurenceJJones LaurenceJJones Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

      44 +  httpTransport, ok := transport.(*http.Transport)
      45 +  if !ok {
      46 +    return fmt.Errorf("cannot reload certificate: transport is %T, expected *http.Transport", transport)
      47 +  }
      48 +
      49 +  if httpTransport.TLSClientConfig == nil {
      50 +    return errors.New("cannot reload certificate: transport has no TLS config")
      51 +  }
      52 +
      53    cert, err := tls.LoadX509KeyPair(CertPath, KeyPath)
      54    if err != nil {
      55      return fmt.Errorf("failed to reload certificate: %w", err)
      56    }
      57
      58    Cert = &cert
      59 +  httpTransport.TLSClientConfig.Certificates = []tls.Certificate{cert}

httpTransport.TLSClientConfig.Certificates = []tls.Certificate{cert}
}

return nil
}

type TokenSave func(ctx context.Context, token string) error

type ApiClient struct {
Expand Down
3 changes: 3 additions & 0 deletions pkg/csconfig/api.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,9 @@ func (l *LocalApiClientCfg) Load() error {
}

apiclient.Cert = &cert
// Store the paths so the certificate can be reloaded if it expires and is renewed on disk
apiclient.CertPath = l.Credentials.CertPath
apiclient.KeyPath = l.Credentials.KeyPath
}

return nil
Expand Down