reverseproxy: force renewal only renews if not issued in last 5 mins

otherwise, this leads to repeated renewals in checkCerts
This commit is contained in:
Girish Ramakrishnan
2023-02-01 11:12:55 +01:00
parent eddfd20f24
commit 3b9486596d

View File

@@ -253,12 +253,21 @@ function getAcmeCertificateNameSync(fqdn, domainObject) {
}
}
function needsRenewalSync(cert) {
function needsRenewalSync(cert, options) {
assert.strictEqual(typeof cert, 'string');
assert.strictEqual(typeof options, 'string');
const { endDate } = getCertificateDatesSync(cert);
const isExpiring = (endDate - new Date()) <= (30 * 24 * 60 * 60 * 1000); // expiring in a month
debug(`needsRenewal: ${isExpiring}`);
const { startDate, endDate } = getCertificateDatesSync(cert);
const now = new Date();
let isExpiring;
if (options.forceRenewal) {
isExpiring = (now - startDate) > (5 * 60 * 1000); // was renewed 5 minutes ago
} else {
isExpiring = (endDate - now) <= (30 * 24 * 60 * 60 * 1000); // expiring in a month
}
debug(`needsRenewal: ${isExpiring}. force: ${!!options.forceRenewal}`);
return isExpiring;
}
@@ -407,7 +416,7 @@ async function ensureCertificate(location, options, auditSource) {
const cert = await blobs.getString(`${blobs.CERT_PREFIX}-${certName}.cert`);
if (key && cert) {
if (!options.forceRenewal && providerMatchesSync(domainObject, cert) && !needsRenewalSync(cert)) { // force is for e2e
if (providerMatchesSync(domainObject, cert) && !needsRenewalSync(cert, options)) {
debug(`ensureCertificate: ${fqdn} acme cert exists and is up to date`);
return;
}