Fix a couple of race conditions in the renewal of certificates.

ca/mutable_tls_config.go

@@ -40,7 +40,7 @@ func (c *mutableTLSConfig) Init(base *tls.Config) {
 // tls.Config GetConfigForClient.
 func (c *mutableTLSConfig) TLSConfig() (config *tls.Config) {
 	c.RLock()
-	config = c.config
+	config = c.config.Clone()
 	c.RUnlock()
 	return
 }

ca/renew.go

@@ -80,7 +80,9 @@ func NewTLSRenewer(cert *tls.Certificate, fn RenewFunc, opts ...tlsRenewerOption
 func (r *TLSRenewer) Run() {
 	cert := r.getCertificate()
 	next := r.nextRenewDuration(cert.Leaf.NotAfter)
+	r.Lock()
 	r.timer = time.AfterFunc(next, r.renewCertificate)
+	r.Unlock()
 }
 
 // RunContext starts the certificate renewer for the given certificate.