jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

cert: only inform user if renewal fails and only 10 days left

Browse Source
This commit is contained in:
Girish Ramakrishnan
2021-06-01 09:09:16 -07:00
parent 380fe7c17a
commit e9ace613e2
2 changed files with 19 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
src/reverseproxy.js
View File

@@ -96,19 +96,18 @@ function getAcmeApi(domainObject, callback) {
});
}
function isExpiringSync(certFilePath, hours) {
function getExpiryDate(certFilePath) {
assert.strictEqual(typeof certFilePath, 'string');
assert.strictEqual(typeof hours, 'number');
if (!fs.existsSync(certFilePath)) return 2; // not found
if (!fs.existsSync(certFilePath)) return null; // not found
const result = safe.child_process.spawnSync('/usr/bin/openssl', [ 'x509', '-checkend', String(60 * 60 * hours), '-in', certFilePath ]);
const result = safe.child_process.spawnSync('/usr/bin/openssl', [ 'x509', '-enddate', '-noout', certFilePath ]);
if (!result) return null; // some error
if (!result) return 3; // some error
const notAfter = result.stdout.toString('utf8').trim().split('=')[1];
debug(`expiryDate: ${certFilePath} notAfter=${notAfter}`);
debug('isExpiringSync: %s %s %s', certFilePath, result.stdout.toString('utf8').trim(), result.status);
return result.status === 1; // 1 - expired 0 - not expired
return new Date(notAfter);
}
// We used to check for the must-staple in the cert using openssl x509 -text -noout -in ${certFilePath} | grep -q status_request
@@ -417,12 +416,14 @@ function ensureCertificate(vhost, domain, auditSource, callback) {
getAcmeApi(domainObject, async function (error, acmeApi, apiOptions) {
if (error) return callback(error);
let notAfter = null;
const [, currentBundle] = await safe(checkAcmeCertificate(vhost, domainObject));
if (currentBundle) {
debug(`ensureCertificate: ${vhost} certificate already exists at ${currentBundle.keyFilePath}`);
if (!isExpiringSync(currentBundle.certFilePath, 24 * 30) && providerMatchesSync(domainObject, currentBundle.certFilePath, apiOptions)) return callback(null, currentBundle, { renewed: false });
notAfter = getExpiryDate(currentBundle.certFilePath);
const isExpiring = (notAfter - new Date()) <= (60 * 60 * 24 * 30 * 1000); // expiring in a month
if (!isExpiring && providerMatchesSync(domainObject, currentBundle.certFilePath, apiOptions)) return callback(null, currentBundle, { renewed: false });
debug(`ensureCertificate: ${vhost} cert requires renewal`);
} else {
debug(`ensureCertificate: ${vhost} cert does not exist`);
@@ -434,9 +435,9 @@ function ensureCertificate(vhost, domain, auditSource, callback) {
acmeApi.getCertificate(vhost, domain, acmePaths, apiOptions, async function (error) {
debug(`ensureCertificate: error: ${error ? error.message : 'null'} cert: ${acmePaths.certFilePath || 'null'}`);
eventlog.add(currentBundle ? eventlog.ACTION_CERTIFICATE_RENEWAL : eventlog.ACTION_CERTIFICATE_NEW, auditSource, { domain: vhost, errorMessage: error ? error.message : '' });
eventlog.add(currentBundle ? eventlog.ACTION_CERTIFICATE_RENEWAL : eventlog.ACTION_CERTIFICATE_NEW, auditSource, { domain: vhost, errorMessage: error ? error.message : '', notAfter });
if (error && currentBundle && !isExpiringSync(currentBundle.certFilePath, 0)) {
if (error && currentBundle && (notAfter - new Date() > 0)) { // still some life left in this certificate
debug('ensureCertificate: continue using existing bundle since renewal failed');
return callback(null, currentBundle, { renewed: false });
}
@@ -749,10 +750,14 @@ function renewCerts(options, auditSource, progressCallback, callback) {
async function cleanupCerts() {
const filenames = await fs.promises.readdir(paths.NGINX_CERT_DIR);
const certFilenames = filenames.filter(f => f.endsWith('.cert'));
const now = new Date();
for (const certFilename of certFilenames) {
const certFilePath = path.join(paths.NGINX_CERT_DIR, certFilename);
if (isExpiringSync(certFilePath, - 24 * 30 * 6)) { // expired 6 months ago
const notAfter = getExpiryDate(certFilePath);
if (!notAfter) continue; // some error
if (now - notAfter >= (60 * 60 * 24 * 30 * 6 * 1000)) { // expired 6 months ago
const fqdn = certFilename.replace(/\.cert$/, '');
debug(`cleanupCerts: deleting certs of ${fqdn}`);