jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Fixup user and acme cert syncing

Browse Source
This commit is contained in:
Girish Ramakrishnan
2022-07-14 15:04:45 +05:30
parent 885d60f7cc
commit 14fc089f05
1 changed files with 16 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
src/reverseproxy.js
View File

@@ -297,7 +297,7 @@ async function getCertificatePath(fqdn, domain) {
return getFallbackCertificatePathSync(domain);
}
async function checkUserCertificate(fqdn, domainObject) {
async function syncUserCertificate(fqdn, domainObject) {
assert.strictEqual(typeof fqdn, 'string'); // this can contain wildcard domain (for alias domains)
assert.strictEqual(typeof domainObject, 'object');
@@ -313,7 +313,7 @@ async function checkUserCertificate(fqdn, domainObject) {
return { certFilePath, keyFilePath };
}
async function checkAcmeCertificate(fqdn, domainObject) {
async function syncAcmeCertificate(fqdn, domainObject) {
assert.strictEqual(typeof fqdn, 'string'); // this can contain wildcard domain (for alias domains)
assert.strictEqual(typeof domainObject, 'object');
@@ -360,8 +360,8 @@ async function ensureCertificate(subdomain, domain, auditSource) {
const domainObject = await domains.get(domain);
const userPath = await checkUserCertificate(subdomain, domainObject);
if (userPath) return { certificatePath: userPath, renewed: false };
const userCertificatePath = await syncUserCertificate(subdomain, domainObject);
if (userCertificatePath) return { certificatePath: userCertificatePath, renewed: false };
if (domainObject.tlsConfig.provider === 'fallback') {
debug(`ensureCertificate: ${subdomain} will use fallback certs`);
@@ -372,33 +372,33 @@ async function ensureCertificate(subdomain, domain, auditSource) {
const { acmeApi, apiOptions } = await getAcmeApi(domainObject);
let notAfter = null;
const [, acmePath] = await safe(checkAcmeCertificate(subdomain, domainObject));
if (acmePath) {
debug(`ensureCertificate: ${subdomain} certificate already exists at ${acmePath.keyFilePath}`);
notAfter = getExpiryDate(acmePath.certFilePath);
const [, acmeCertificatePath] = await safe(syncAcmeCertificate(subdomain, domainObject));
if (acmeCertificatePath) {
debug(`ensureCertificate: ${subdomain} certificate already exists at ${acmeCertificatePath.keyFilePath}`);
notAfter = getExpiryDate(acmeCertificatePath.certFilePath);
const isExpiring = (notAfter - new Date()) <= (30 * 24 * 60 * 60 * 1000); // expiring in a month
if (!isExpiring && providerMatchesSync(domainObject, acmePath.certFilePath, apiOptions)) return { certificatePath: acmePath, renewed: false };
if (!isExpiring && providerMatchesSync(domainObject, acmeCertificatePath.certFilePath, apiOptions)) return { certificatePath: acmeCertificatePath, renewed: false };
debug(`ensureCertificate: ${subdomain} cert requires renewal`);
} else {
debug(`ensureCertificate: ${subdomain} cert does not exist`);
}
debug('ensureCertificate: getting certificate for %s with options %j', subdomain, apiOptions);
debug(`ensureCertificate: getting certificate for ${subdomain} with options ${JSON.stringify(apiOptions)}`);
const acmePaths = getAcmeCertificatePathSync(subdomain, domainObject);
let [error] = await safe(acmeApi.getCertificate(subdomain, domain, acmePaths, apiOptions));
const [error] = await safe(acmeApi.getCertificate(subdomain, domain, acmePaths, apiOptions));
debug(`ensureCertificate: error: ${error ? error.message : 'null'} cert: ${acmePaths.certFilePath || 'null'}`);
await safe(eventlog.add(acmePath ? eventlog.ACTION_CERTIFICATE_RENEWAL : eventlog.ACTION_CERTIFICATE_NEW, auditSource, { domain: subdomain, errorMessage: error ? error.message : '', notAfter }));
await safe(eventlog.add(acmeCertificatePath ? eventlog.ACTION_CERTIFICATE_RENEWAL : eventlog.ACTION_CERTIFICATE_NEW, auditSource, { domain: subdomain, errorMessage: error ? error.message : '', notAfter }));
if (error && acmePath && (notAfter - new Date() > 0)) { // still some life left in this certificate
if (error && acmeCertificatePath && (notAfter - new Date() > 0)) { // still some life left in this certificate
debug('ensureCertificate: continue using existing certificate since renewal failed');
return { certificatePath: acmePath, renewed: false };
return { certificatePath: acmeCertificatePath, renewed: false };
}
if (!error) {
[error] = await safe(updateCertBlobs(subdomain, domainObject));
if (!error) return { certificatePath: { certFilePath: acmePaths.certFilePath, keyFilePath: acmePaths.keyFilePath }, renewed: true };
const [updateCertError] = await safe(updateCertBlobs(subdomain, domainObject));
if (!updateCertError) return { certificatePath: { certFilePath: acmePaths.certFilePath, keyFilePath: acmePaths.keyFilePath }, renewed: true };
}
debug(`ensureCertificate: renewal of ${subdomain} failed. using fallback certificates for ${domain}`);