Commit fc928e0b authored by Matthew Holt's avatar Matthew Holt

letsencrypt: Couple minor refactors/fixes

parent 93b30137
// Package caddy implements the Caddy web server as a service. // Package caddy implements the Caddy web server as a service
// in your own Go programs.
// //
// To use this package, follow a few simple steps: // To use this package, follow a few simple steps:
// //
......
...@@ -72,7 +72,11 @@ func Activate(configs []server.Config) ([]server.Config, error) { ...@@ -72,7 +72,11 @@ func Activate(configs []server.Config) ([]server.Config, error) {
// set up redirects // set up redirects
configs = MakePlaintextRedirects(configs) configs = MakePlaintextRedirects(configs)
// renew all relevant certificates that need renewal; TODO: handle errors // renew all relevant certificates that need renewal. this is important
// to do right away for a couple reasons, mainly because each restart,
// the renewal ticker is reset, so if restarts happen more often than
// the ticker interval, renewals would never happen. but doing
// it right away at start guarantees that renewals aren't missed.
renewCertificates(configs, false) renewCertificates(configs, false)
// keep certificates renewed and OCSP stapling updated // keep certificates renewed and OCSP stapling updated
...@@ -127,7 +131,7 @@ func ObtainCerts(configs []server.Config, optPort string) error { ...@@ -127,7 +131,7 @@ func ObtainCerts(configs []server.Config, optPort string) error {
} }
Obtain: Obtain:
certificate, failures := client.ObtainCertificate([]string{cfg.Host}, true) certificate, failures := client.ObtainCertificate([]string{cfg.Host}, true, nil)
if len(failures) == 0 { if len(failures) == 0 {
// Success - immediately save the certificate resource // Success - immediately save the certificate resource
err := saveCertResource(certificate) err := saveCertResource(certificate)
...@@ -289,11 +293,9 @@ func HostQualifies(hostname string) bool { ...@@ -289,11 +293,9 @@ func HostQualifies(hostname string) bool {
strings.TrimSpace(hostname) != "" && strings.TrimSpace(hostname) != "" &&
net.ParseIP(hostname) == nil && // cannot be an IP address, see: https://community.letsencrypt.org/t/certificate-for-static-ip/84/2?u=mholt net.ParseIP(hostname) == nil && // cannot be an IP address, see: https://community.letsencrypt.org/t/certificate-for-static-ip/84/2?u=mholt
// TODO: net.ParseIP also catches the two variants without brackets // These special cases can sneak through if specified with -host and with empty/no Caddyfile
hostname != "[::]" && // before parsing hostname != "[::]" &&
hostname != "::" && // after parsing hostname != "[::1]"
hostname != "[::1]" && // before parsing
hostname != "::1" // after parsing
} }
// existingCertAndKey returns true if the host has a certificate // existingCertAndKey returns true if the host has a certificate
...@@ -335,8 +337,8 @@ func newClientPort(leEmail, port string) (*acme.Client, error) { ...@@ -335,8 +337,8 @@ func newClientPort(leEmail, port string) (*acme.Client, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
client.SetHTTPPort(port) client.SetHTTPAddress(":" + port)
client.SetTLSPort(port) client.SetTLSAddress(":" + port)
client.ExcludeChallenges([]string{"tls-sni-01", "dns-01"}) // We can only guarantee http-01 at this time client.ExcludeChallenges([]string{"tls-sni-01", "dns-01"}) // We can only guarantee http-01 at this time
// If not registered, the user must register an account with the CA // If not registered, the user must register an account with the CA
......
...@@ -49,7 +49,7 @@ func maintainAssets(configs []server.Config, stopChan chan struct{}) { ...@@ -49,7 +49,7 @@ func maintainAssets(configs []server.Config, stopChan chan struct{}) {
case <-ocspTicker.C: case <-ocspTicker.C:
for bundle, oldResp := range ocspCache { for bundle, oldResp := range ocspCache {
// start checking OCSP staple about halfway through validity period for good measure // start checking OCSP staple about halfway through validity period for good measure
refreshTime := oldResp.ThisUpdate.Add(oldResp.NextUpdate.Sub(oldResp.ThisUpdate) / 10) refreshTime := oldResp.ThisUpdate.Add(oldResp.NextUpdate.Sub(oldResp.ThisUpdate) / 2)
if time.Now().After(refreshTime) { if time.Now().After(refreshTime) {
_, newResp, err := acme.GetOCSPForCert(*bundle) _, newResp, err := acme.GetOCSPForCert(*bundle)
if err != nil { if err != nil {
...@@ -112,8 +112,8 @@ func renewCertificates(configs []server.Config, useCustomPort bool) (int, []erro ...@@ -112,8 +112,8 @@ func renewCertificates(configs []server.Config, useCustomPort bool) (int, []erro
// Directly convert it to days for the following checks. // Directly convert it to days for the following checks.
daysLeft := int(expTime.Sub(time.Now().UTC()).Hours() / 24) daysLeft := int(expTime.Sub(time.Now().UTC()).Hours() / 24)
// Renew with two weeks or less remaining. // Renew if getting close to expiration.
if daysLeft <= 14 { if daysLeft <= renewDaysBefore {
log.Printf("[INFO] Certificate for %s has %d days remaining; attempting renewal", cfg.Host, daysLeft) log.Printf("[INFO] Certificate for %s has %d days remaining; attempting renewal", cfg.Host, daysLeft)
var client *acme.Client var client *acme.Client
if useCustomPort { if useCustomPort {
...@@ -164,11 +164,13 @@ func renewCertificates(configs []server.Config, useCustomPort bool) (int, []erro ...@@ -164,11 +164,13 @@ func renewCertificates(configs []server.Config, useCustomPort bool) (int, []erro
saveCertResource(newCertMeta) saveCertResource(newCertMeta)
n++ n++
} else if daysLeft <= 21 { } else if daysLeft <= renewDaysBefore+7 && daysLeft >= renewDaysBefore+6 {
// Warn on 21 days remaining. TODO: Just do this once... log.Printf("[WARNING] Certificate for %s has %d days remaining; will automatically renew when %d days remain\n", cfg.Host, daysLeft, renewDaysBefore)
log.Printf("[WARNING] Certificate for %s has %d days remaining; will automatically renew when 14 days remain\n", cfg.Host, daysLeft)
} }
} }
return n, errs return n, errs
} }
// renewDaysBefore is how many days before expiration to renew certificates.
const renewDaysBefore = 14
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment