le-sni-auto.js/README.md

le-sni-auto
===========

| Sponsored by [ppl](https://ppl.family)

An auto-sni strategy for registering and renewing letsencrypt certificates using SNICallback.

This does a couple of rather simple things:

  * caches certificates in memory
  * calls `getCertificatesAsync(domain, null)` when a certificate is not in memory
  * calls `getCertificatesASync(domain, certs)` when a certificate is up for renewal or expired

Install
=======

```bash
npm install --save le-sni-auto@2.x
```

Usage
=====

With node-letsencrypt
---------------------

```javascript
'use strict';


var leSni = require('le-sni-auto').create({

  renewWithin: 14 * 24 * 60 * 60 1000     // do not renew more than 14 days before expiration
, renewBy: 10 * 24 * 60 * 60 1000         // do not wait more than 10 days before expiration

, tlsOptions: {
    rejectUnauthorized: true              // These options will be used with tls.createSecureContext()
  , requestCert: false                    // in addition to key (privkey.pem) and cert (cert.pem + chain.pem),
  , ca: null                              // which are provided by letsencrypt
  , crl: null
  }

});


var le = require('letsencrypt').create({
  server: 'staging'

, sni: leSni

, approveDomains: function (domain, cb) {
    // here you would lookup details such as email address in your db
    cb(null, { email: 'john.doe@gmail.com.', domains: [domain, 'www.' + domain], agreeTos: true }}
  }
});


var redirectHttps = require('redirect-https').create();
http.createServer(le.middleware(redirectHttps));


var app = require('express')();
https.createServer(le.tlsOptions, le.middleware(app)).listen(443);
```

You can also provide a thunk-style `getCertificates(domain, certs, cb)`.

Standalone
----------

```javascript
'use strict';


var leSni = require('le-sni-auto').create({
  renewWithin: 14 * 24 * 60 * 60 1000       // do not renew prior to 10 days before expiration
, renewBy: 10 * 24 * 60 * 60 1000         // do not wait more than 5 days before expiration

  // key (privkey.pem) and cert (cert.pem + chain.pem) will be provided by letsencrypt
, tlsOptions: { rejectUnauthorized: true, requestCert: false, ca: null, crl: null }

, getCertificatesAsync: function (domain, certs) {
    // return a promise with an object with the following keys:
    // { privkey, cert, chain, expiresAt, issuedAt, subject, altnames }
  }
});


var tlsOptions = {
  SNICallback: leSni.sniCallback
};

https.createServer(tlsOptions, app);
```

You can also provide a thunk-style `getCertificates(domain, certs, cb)`.

API
===

* create(options)
  * `getCertificates(domain, certs, cb)` or `getCertificatesAsync(domain, certs)`
  * `renewWithin` (default 7 days, min 3 days)
  * `renewBy` (default 2 days, min 12 hours)
* `sniCallback(domain, cb)`
* `cacheCerts(certs)`
* `uncacheDomain(domain)`

.renewWithin
-----------

Specifies the maximum amount of time (in ms) before
the certificate expires to renew it.

Say the cert expires in 90 days and you would like
to renew, **at earliest** 10 days before it expires.

You would set this to `10 * 24 * 60 * 60 * 1000`.

.renewBy
--------

Specifies the maximum amount of time (in ms) before
the certificate expires to renew it.

Say the cert expires in 90 days and you would like
to renew, **at latest** 10 days before it expires.

You would set this to `10 * 24 * 60 * 60 * 1000`.

**MUST** be **less than** `renewWithin`.

.sniCallback()
-----------

This gets passed to `https.createServer(tlsOptions, app)` as `tlsOptions.SNICallback`.

```javascript
var leSni = require('le-sni-auto').create({
  renewWithin: 14 * 24 * 60 * 60 1000
});

var tlsOptions = {
  SNICallback: leSni.sniCallback
};

function app(req, res) {
  res.end("Hello, World!");
}

https.createServer(tlsOptions, app);
```

.cacheCerts()
-----------

Manually load a certificate into the cache.

This is useful in a cluster environment where the master
may wish to inform multiple workers of a new or renewed certificate,
or to satisfy tls-sni-01 challenges.

```
leSni.cacheCerts({
, privkey: '<<privkey.pem>>'
, cert: '<<cert.pem + chain.pem>>'
, subject: 'example.com'
, altnames: [ 'example.com', 'www.example.com' ]
, issuedAt: 1470975565000
, expiresAt: 1478751565000
, auto: true
});
```

.uncacheCerts()
-----------

Remove cached certificates from the cache.

This is useful once a tls-sni-01 challenge has been satisfied.

```
leSni.uncacheCerts({
, subject: 'example.com'
, altnames: [ 'example.com', 'www.example.com' ]
});
```
initial commit 2016-08-11 00:37:03 +00:00			`le-sni-auto`
			`===========`

v2.1.2 2018-04-19 19:18:40 +00:00			`\| Sponsored by [ppl](https://ppl.family)`

initial commit 2016-08-11 00:37:03 +00:00			`An auto-sni strategy for registering and renewing letsencrypt certificates using SNICallback.`

			`This does a couple of rather simple things:`

			`* caches certificates in memory`
			* calls `getCertificatesAsync(domain, null)` when a certificate is not in memory
			* calls `getCertificatesASync(domain, certs)` when a certificate is up for renewal or expired

			`Install`
			`=======`

			```bash
			`npm install --save le-sni-auto@2.x`
			```

			`Usage`
			`=====`

			`With node-letsencrypt`
			`---------------------`

			```javascript
			`'use strict';`



			`var leSni = require('le-sni-auto').create({`

update docs with new within/by defaults 2018-04-19 19:36:34 +00:00			`renewWithin: 14 * 24 * 60 * 60 1000 // do not renew more than 14 days before expiration`
			`, renewBy: 10 * 24 * 60 * 60 1000 // do not wait more than 10 days before expiration`
initial commit 2016-08-11 00:37:03 +00:00
update README and code 2016-08-12 05:59:19 +00:00			`, tlsOptions: {`
initial commit 2016-08-11 00:37:03 +00:00			`rejectUnauthorized: true // These options will be used with tls.createSecureContext()`
			`, requestCert: false // in addition to key (privkey.pem) and cert (cert.pem + chain.pem),`
			`, ca: null // which are provided by letsencrypt`
			`, crl: null`
			`}`

			`});`



			`var le = require('letsencrypt').create({`
			`server: 'staging'`

			`, sni: leSni`

			`, approveDomains: function (domain, cb) {`
			`// here you would lookup details such as email address in your db`
			`cb(null, { email: 'john.doe@gmail.com.', domains: [domain, 'www.' + domain], agreeTos: true }}`
			`}`
			`});`



update README and code 2016-08-12 05:59:19 +00:00			`var redirectHttps = require('redirect-https').create();`
			`http.createServer(le.middleware(redirectHttps));`
initial commit 2016-08-11 00:37:03 +00:00


update README and code 2016-08-12 05:59:19 +00:00			`var app = require('express')();`
v2.1.2 2018-04-19 19:18:40 +00:00			`https.createServer(le.tlsOptions, le.middleware(app)).listen(443);`
initial commit 2016-08-11 00:37:03 +00:00			```

			You can also provide a thunk-style `getCertificates(domain, certs, cb)`.

			`Standalone`
			`----------`

			```javascript
			`'use strict';`


update README and code 2016-08-12 05:59:19 +00:00
			`var leSni = require('le-sni-auto').create({`
update renewWithin defaults 2018-04-19 21:02:28 +00:00			`renewWithin: 14 * 24 * 60 * 60 1000 // do not renew prior to 10 days before expiration`
			`, renewBy: 10 * 24 * 60 * 60 1000 // do not wait more than 5 days before expiration`
initial commit 2016-08-11 00:37:03 +00:00
			`// key (privkey.pem) and cert (cert.pem + chain.pem) will be provided by letsencrypt`
update README and code 2016-08-12 05:59:19 +00:00			`, tlsOptions: { rejectUnauthorized: true, requestCert: false, ca: null, crl: null }`
initial commit 2016-08-11 00:37:03 +00:00
			`, getCertificatesAsync: function (domain, certs) {`
			`// return a promise with an object with the following keys:`
			`// { privkey, cert, chain, expiresAt, issuedAt, subject, altnames }`
			`}`
			`});`



remove unused package 2018-05-12 22:50:36 +00:00			`var tlsOptions = {`
update README and code 2016-08-12 05:59:19 +00:00			`SNICallback: leSni.sniCallback`
remove unused package 2018-05-12 22:50:36 +00:00			`};`
initial commit 2016-08-11 00:37:03 +00:00
v2.1.2 2018-04-19 19:18:40 +00:00			`https.createServer(tlsOptions, app);`
initial commit 2016-08-11 00:37:03 +00:00			```

			You can also provide a thunk-style `getCertificates(domain, certs, cb)`.
update README and code 2016-08-12 05:59:19 +00:00
			`API`
			`===`

			`* create(options)`
			* `getCertificates(domain, certs, cb)` or `getCertificatesAsync(domain, certs)`
			* `renewWithin` (default 7 days, min 3 days)
			* `renewBy` (default 2 days, min 12 hours)
			* `sniCallback(domain, cb)`
			* `cacheCerts(certs)`
support uncaching and non-automatic certificates This facilitates temporarily installing certificates to satisfy TLS SNI challenges. Promises are also shared to avoid simultaneously obtaining certificates when initially loading/registering one or after expiry. 2016-10-08 04:23:32 +00:00			* `uncacheDomain(domain)`
update README and code 2016-08-12 05:59:19 +00:00
			`.renewWithin`
			`-----------`

			`Specifies the maximum amount of time (in ms) before`
			`the certificate expires to renew it.`

			`Say the cert expires in 90 days and you would like`
			`to renew, at earliest 10 days before it expires.`

			You would set this to `10 * 24 * 60 * 60 * 1000`.

			`.renewBy`
			`--------`

			`Specifies the maximum amount of time (in ms) before`
			`the certificate expires to renew it.`

			`Say the cert expires in 90 days and you would like`
			`to renew, at latest 10 days before it expires.`

			You would set this to `10 * 24 * 60 * 60 * 1000`.

			MUST be less than `renewWithin`.

			`.sniCallback()`
			`-----------`

v2.1.2 2018-04-19 19:18:40 +00:00			This gets passed to `https.createServer(tlsOptions, app)` as `tlsOptions.SNICallback`.
update README and code 2016-08-12 05:59:19 +00:00
			```javascript
			`var leSni = require('le-sni-auto').create({`
update renewWithin defaults 2018-04-19 21:02:28 +00:00			`renewWithin: 14 * 24 * 60 * 60 1000`
update README and code 2016-08-12 05:59:19 +00:00			`});`

remove unused package 2018-05-12 22:50:36 +00:00			`var tlsOptions = {`
update README and code 2016-08-12 05:59:19 +00:00			`SNICallback: leSni.sniCallback`
remove unused package 2018-05-12 22:50:36 +00:00			`};`
update README and code 2016-08-12 05:59:19 +00:00
			`function app(req, res) {`
			`res.end("Hello, World!");`
			`}`

v2.1.2 2018-04-19 19:18:40 +00:00			`https.createServer(tlsOptions, app);`
update README and code 2016-08-12 05:59:19 +00:00			```

			`.cacheCerts()`
			`-----------`

			`Manually load a certificate into the cache.`

			`This is useful in a cluster environment where the master`
support uncaching and non-automatic certificates This facilitates temporarily installing certificates to satisfy TLS SNI challenges. Promises are also shared to avoid simultaneously obtaining certificates when initially loading/registering one or after expiry. 2016-10-08 04:23:32 +00:00			`may wish to inform multiple workers of a new or renewed certificate,`
			`or to satisfy tls-sni-01 challenges.`
update README and code 2016-08-12 05:59:19 +00:00
			```
			`leSni.cacheCerts({`
			`, privkey: '<<privkey.pem>>'`
			`, cert: '<<cert.pem + chain.pem>>'`
			`, subject: 'example.com'`
			`, altnames: [ 'example.com', 'www.example.com' ]`
			`, issuedAt: 1470975565000`
			`, expiresAt: 1478751565000`
support uncaching and non-automatic certificates This facilitates temporarily installing certificates to satisfy TLS SNI challenges. Promises are also shared to avoid simultaneously obtaining certificates when initially loading/registering one or after expiry. 2016-10-08 04:23:32 +00:00			`, auto: true`
update README and code 2016-08-12 05:59:19 +00:00			`});`
			```
support uncaching and non-automatic certificates This facilitates temporarily installing certificates to satisfy TLS SNI challenges. Promises are also shared to avoid simultaneously obtaining certificates when initially loading/registering one or after expiry. 2016-10-08 04:23:32 +00:00
			`.uncacheCerts()`
			`-----------`

			`Remove cached certificates from the cache.`

			`This is useful once a tls-sni-01 challenge has been satisfied.`

			```
			`leSni.uncacheCerts({`
			`, subject: 'example.com'`
			`, altnames: [ 'example.com', 'www.example.com' ]`
			`});`
			```