@alban, those are great questions.
First, I have pushed a commit to CertMagic that I am pretty sure will solve this:
We now allow for loading any cert from storage if cache pressure is 90% or higher.
PS. As @eva2000 mentioned, I cover this issue in my first livestream:
Yes, that might be a good way to handle this. I’ll look into it.
Good question; the answer is, as explained in the video above, that it’s not very good to do this with random eviction. We might end up trying a lot of certificates before we find one we can evict. Or we can keep a separate list of evictable certs, but then we use more memory. And what if the whole cache is full of non-evictable certs? So, best to just be able to reload ones we evicted.
That is basically what we do already. Storage is the long-term “cache” and in-memory cache is what we serve certs from.
Encoded certs aren’t particularly big, it’s their decoded form that takes more memory, which we need in order to manage them. Plus the CPU overhead isn’t favorable.
It already is.
Yes, we strongly advise and warn against deploying into production without configuring this endpoint.