cleanup

proxy/internal/reverseproxy/certmanager/letsencrypt.go

@@ -39,7 +39,7 @@ func NewLetsEncrypt(config LetsEncryptConfig) *LetsEncryptManager {
 		HostPolicy:  m.hostPolicy,
 		Cache:       autocert.DirCache(config.CertCacheDir),
 		Email:       config.Email,
-		RenewBefore: 0, // Use default
+		RenewBefore: 0, // Use default 30 days prior to expiration
 	}
 
 	log.Info("Let's Encrypt certificate manager initialized")
@@ -71,8 +71,6 @@ func (m *LetsEncryptManager) RemoveDomain(domain string) {
 func (m *LetsEncryptManager) IssueCertificate(ctx context.Context, domain string) error {
 	log.Infof("Issuing Let's Encrypt certificate for domain: %s", domain)
 
-	// Use GetCertificate to trigger certificate issuance
-	// This will go through the ACME challenge flow
 	hello := &tls.ClientHelloInfo{
 		ServerName: domain,
 	}

proxy/internal/reverseproxy/certmanager/selfsigned_manager.go

@@ -54,19 +54,16 @@ func (m *SelfSignedManager) IssueCertificate(ctx context.Context, domain string)
 	m.mu.Lock()
 	defer m.mu.Unlock()
 
-	// Check if we already have a certificate for this domain
 	if _, exists := m.certificates[domain]; exists {
 		log.Debugf("Self-signed certificate already exists for domain: %s", domain)
 		return nil
 	}
 
-	// Generate self-signed certificate
 	cert, err := m.generateCertificate(domain)
 	if err != nil {
 		return err
 	}
 
-	// Cache the certificate
 	m.certificates[domain] = cert
 
 	return nil
@@ -94,7 +91,6 @@ func (m *SelfSignedManager) getCertificate(hello *tls.ClientHelloInfo) (*tls.Cer
 		return cert, nil
 	}
 
-	// Generate certificate on-demand if not cached
 	log.Infof("Generating self-signed certificate on-demand for: %s", hello.ServerName)
 
 	newCert, err := m.generateCertificate(hello.ServerName)
@@ -102,7 +98,6 @@ func (m *SelfSignedManager) getCertificate(hello *tls.ClientHelloInfo) (*tls.Cer
 		return nil, err
 	}
 
-	// Cache it
 	m.mu.Lock()
 	m.certificates[hello.ServerName] = newCert
 	m.mu.Unlock()
@@ -112,13 +107,11 @@ func (m *SelfSignedManager) getCertificate(hello *tls.ClientHelloInfo) (*tls.Cer
 
 // generateCertificate generates a self-signed certificate for a domain
 func (m *SelfSignedManager) generateCertificate(domain string) (*tls.Certificate, error) {
-	// Generate private key
 	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate private key: %w", err)
 	}
 
-	// Create certificate template
 	notBefore := time.Now()
 	notAfter := notBefore.Add(365 * 24 * time.Hour) // Valid for 1 year
 
@@ -141,13 +134,11 @@ func (m *SelfSignedManager) generateCertificate(domain string) (*tls.Certificate
 		DNSNames:              []string{domain},
 	}
 
-	// Create self-signed certificate
 	certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create certificate: %w", err)
 	}
 
-	// Parse certificate
 	cert, err := x509.ParseCertificate(certDER)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse certificate: %w", err)