From c0107ab5b9bf4ae44e0d982d35a778a824b2f8d7 Mon Sep 17 00:00:00 2001
From: max furman <mx.furman@gmail.com>
Date: Tue, 27 Nov 2018 16:25:01 -0800
Subject: [PATCH] Fix ca renew documentation

---
 ca/renew.go | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/ca/renew.go b/ca/renew.go
index f18d8d11..b7d0fe2b 100644
--- a/ca/renew.go
+++ b/ca/renew.go
@@ -14,7 +14,7 @@ import (
 // certificate.
 type RenewFunc func() (*tls.Certificate, error)
 
-// TLSRenewer renews automatically a tls certificate with a given function.
+// TLSRenewer automatically renews a tls certificate using a give RenewFunc.
 type TLSRenewer struct {
 	sync.RWMutex
 	RenewCertificate RenewFunc
@@ -44,7 +44,7 @@ func WithRenewJitter(j time.Duration) func(r *TLSRenewer) error {
 }
 
 // NewTLSRenewer creates a TLSRenewer for the given cert. It will use the given
-// function to get a new certificate when required.
+// RenewFunc to get a new certificate when required.
 func NewTLSRenewer(cert *tls.Certificate, fn RenewFunc, opts ...tlsRenewerOptions) (*TLSRenewer, error) {
 	r := &TLSRenewer{
 		RenewCertificate: fn,
@@ -123,8 +123,10 @@ func (r *TLSRenewer) GetClientCertificate(*tls.CertificateRequestInfo) (*tls.Cer
 
 // getCertificate returns the certificate using a read-only lock.
 //
-// Known issue: It will not attempt to renew the certificate if its expired as
-// the renew request with mTLS will fail.
+// Known issue: It cannot renew an expired certificate because the /renew
+// endpoint requires a valid client certificate. The certificate can expire
+// if the timer does not fire e.g. when the CA is run from a laptop that
+// enters sleep mode.
 func (r *TLSRenewer) getCertificate() *tls.Certificate {
 	r.RLock()
 	cert := r.cert
@@ -133,7 +135,7 @@ func (r *TLSRenewer) getCertificate() *tls.Certificate {
 }
 
 // getCertificateForCA returns the certificate using a read-only lock. It will
-// automatically renew the certificate if it's expired.
+// automatically renew the certificate if it has expired.
 func (r *TLSRenewer) getCertificateForCA() *tls.Certificate {
 	r.RLock()
 	// Force certificate renewal if the timer didn't run.
@@ -149,8 +151,8 @@ func (r *TLSRenewer) getCertificateForCA() *tls.Certificate {
 }
 
 // setCertificate updates the certificate using a read-write lock. It also
-// updates certNotAfter with 1m of delta, this will force the renew of the
-// certificate if it's expired or about to expire.
+// updates certNotAfter with 1m of delta; this will force the renewal of the
+// certificate if it is about to expire.
 func (r *TLSRenewer) setCertificate(cert *tls.Certificate) {
 	r.Lock()
 	r.cert = cert