greenlock-cluster.js/lib/sni-callback.js

85 lines
1.8 KiB
JavaScript
Raw Normal View History

2016-08-10 08:45:12 +00:00
'use strict';
2016-08-10 08:49:57 +00:00
// opts = { renewWithin, renew, register, httpsOptions }
2016-08-10 08:45:12 +00:00
module.exports.create = function (opts) {
var tls = require('tls');
2016-08-10 08:49:57 +00:00
2016-08-10 08:45:12 +00:00
var snicb = {
2016-08-10 08:49:57 +00:00
2016-08-10 08:45:12 +00:00
// in-process cache
_ipc: {}
2016-08-10 08:49:57 +00:00
// just to account for clock skew
, _fiveMin: 5 * 60 * 1000
// cache and format incoming certs
2016-08-10 08:45:12 +00:00
, cacheCerts: function (certs) {
certs.altnames.forEach(function (domain) {
snicb._ipc[domain] = { subject: certs.subject };
});
snicb._ipc[certs.subject] = certs;
certs.tlsContext = tls.createSecureContext({
key: certs.privkey
, cert: certs.cert + certs.chain
, rejectUnauthorized: opts.httpsOptions.rejectUnauthorized
, requestCert: opts.httpsOptions.requestCert // request peer verification
, ca: opts.httpsOptions.ca // this chain is for incoming peer connctions
, crl: opts.httpsOptions.crl // this crl is for incoming peer connections
});
return certs;
}
2016-08-10 08:49:57 +00:00
// automate certificate registration on request
2016-08-10 08:45:12 +00:00
, sniCallback: function (domain, cb) {
var certs = snicb._ipc[domain];
var promise;
var now = Date.now();
if (certs && certs.subject !== domain) {
certs = snicb._ipc[domain];
}
// err just barely on the side of safety
if (!certs) {
promise = opts.register(domain);
}
2016-08-10 08:49:57 +00:00
else if (now >= (certs.expiresAt - snicb._fiveMin)) {
2016-08-10 08:45:12 +00:00
promise = opts.renew(domain, certs);
}
else {
if (now >= (certs.expiresAt - opts.renewWithin)) {
// in background
2016-08-10 08:49:57 +00:00
opts.renew(domain, certs).then(snicb.cacheCerts);
2016-08-10 08:45:12 +00:00
}
cb(null, certs);
return;
}
promise.then(snicb.cacheCerts).then(function (certs) {
cb(null, certs.tlsContext);
}, cb);
}
2016-08-10 08:49:57 +00:00
2016-08-10 08:45:12 +00:00
};
return snicb;
};