support uncaching and non-automatic certificates
This facilitates temporarily installing certificates to satisfy TLS SNI challenges. Promises are also shared to avoid simultaneously obtaining certificates when initially loading/registering one or after expiry.
This commit is contained in:
parent
ee67a5bc8b
commit
7f826369a6
20
README.md
20
README.md
|
@ -110,6 +110,7 @@ API
|
||||||
* `renewBy` (default 2 days, min 12 hours)
|
* `renewBy` (default 2 days, min 12 hours)
|
||||||
* `sniCallback(domain, cb)`
|
* `sniCallback(domain, cb)`
|
||||||
* `cacheCerts(certs)`
|
* `cacheCerts(certs)`
|
||||||
|
* `uncacheDomain(domain)`
|
||||||
|
|
||||||
.renewWithin
|
.renewWithin
|
||||||
-----------
|
-----------
|
||||||
|
@ -162,7 +163,8 @@ https.createServer(httpsOptions, app);
|
||||||
Manually load a certificate into the cache.
|
Manually load a certificate into the cache.
|
||||||
|
|
||||||
This is useful in a cluster environment where the master
|
This is useful in a cluster environment where the master
|
||||||
may wish to inform multiple workers of a new or renewed certificate.
|
may wish to inform multiple workers of a new or renewed certificate,
|
||||||
|
or to satisfy tls-sni-01 challenges.
|
||||||
|
|
||||||
```
|
```
|
||||||
leSni.cacheCerts({
|
leSni.cacheCerts({
|
||||||
|
@ -172,5 +174,21 @@ leSni.cacheCerts({
|
||||||
, altnames: [ 'example.com', 'www.example.com' ]
|
, altnames: [ 'example.com', 'www.example.com' ]
|
||||||
, issuedAt: 1470975565000
|
, issuedAt: 1470975565000
|
||||||
, expiresAt: 1478751565000
|
, expiresAt: 1478751565000
|
||||||
|
, auto: true
|
||||||
});
|
});
|
||||||
```
|
```
|
||||||
|
|
||||||
|
.uncacheCerts()
|
||||||
|
-----------
|
||||||
|
|
||||||
|
Remove cached certificates from the cache.
|
||||||
|
|
||||||
|
This is useful once a tls-sni-01 challenge has been satisfied.
|
||||||
|
|
||||||
|
```
|
||||||
|
leSni.uncacheCerts({
|
||||||
|
, subject: 'example.com'
|
||||||
|
, altnames: [ 'example.com', 'www.example.com' ]
|
||||||
|
});
|
||||||
|
```
|
||||||
|
|
||||||
|
|
32
index.js
32
index.js
|
@ -21,7 +21,7 @@ module.exports.create = function (autoSni) {
|
||||||
if (autoSni.renewWithin < defaults._renewWithinMin) {
|
if (autoSni.renewWithin < defaults._renewWithinMin) {
|
||||||
throw new Error("options.renewWithin should be at least 3 days");
|
throw new Error("options.renewWithin should be at least 3 days");
|
||||||
}
|
}
|
||||||
if (!autoSni.renewBy) { autoSni.renewBy = autoSni.notBefore || defaults.renewBy; }
|
if (!autoSni.renewBy) { autoSni.renewBy = autoSni.notAfter || defaults.renewBy; }
|
||||||
if (autoSni.renewBy < defaults._renewByMin) {
|
if (autoSni.renewBy < defaults._renewByMin) {
|
||||||
throw new Error("options.renewBy should be at least 12 hours");
|
throw new Error("options.renewBy should be at least 12 hours");
|
||||||
}
|
}
|
||||||
|
@ -72,6 +72,7 @@ module.exports.create = function (autoSni) {
|
||||||
}) || { '_fake_tls_context_': true }
|
}) || { '_fake_tls_context_': true }
|
||||||
|
|
||||||
, subject: certs.subject
|
, subject: certs.subject
|
||||||
|
, auto: 'undefined' === typeof certs.auto ? true : certs.auto
|
||||||
// stagger renewal time by a little bit of randomness
|
// stagger renewal time by a little bit of randomness
|
||||||
, renewAt: (certs.expiresAt - (autoSni.renewWithin - (autoSni._renewWindow * Math.random())))
|
, renewAt: (certs.expiresAt - (autoSni.renewWithin - (autoSni._renewWindow * Math.random())))
|
||||||
// err just barely on the side of safety
|
// err just barely on the side of safety
|
||||||
|
@ -90,13 +91,23 @@ module.exports.create = function (autoSni) {
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
, uncacheCerts: function (certs) {
|
||||||
|
certs.altnames.forEach(function (domain) {
|
||||||
|
delete autoSni._ipc[domain];
|
||||||
|
});
|
||||||
|
delete autoSni._ipc[certs.subject];
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
// automate certificate registration on request
|
// automate certificate registration on request
|
||||||
, sniCallback: function (domain, cb) {
|
, sniCallback: function (domain, cb) {
|
||||||
var certMeta = autoSni._ipc[domain];
|
var certMeta = autoSni._ipc[domain];
|
||||||
var promise;
|
var promise;
|
||||||
var now = (autoSni._dbg_now || Date.now());
|
var now = (autoSni._dbg_now || Date.now());
|
||||||
|
|
||||||
if (certMeta && certMeta.subject !== domain) {
|
if (certMeta && !certMeta.then && certMeta.subject !== domain) {
|
||||||
//log(autoSni.debug, "LINK CERT", domain);
|
//log(autoSni.debug, "LINK CERT", domain);
|
||||||
certMeta = autoSni._ipc[certMeta.subject];
|
certMeta = autoSni._ipc[certMeta.subject];
|
||||||
}
|
}
|
||||||
|
@ -104,16 +115,23 @@ module.exports.create = function (autoSni) {
|
||||||
if (!certMeta) {
|
if (!certMeta) {
|
||||||
//log(autoSni.debug, "NO CERT", domain);
|
//log(autoSni.debug, "NO CERT", domain);
|
||||||
// we don't have a cert and must get one
|
// we don't have a cert and must get one
|
||||||
promise = autoSni.getCertificatesAsync(domain, null);
|
promise = autoSni.getCertificatesAsync(domain, null).then(autoSni.cacheCerts);
|
||||||
|
autoSni._ipc[domain] = promise;
|
||||||
|
}
|
||||||
|
else if (certMeta.then) {
|
||||||
|
//log(autoSni.debug, "PROMISED CERT", domain);
|
||||||
|
// we are already getting a cert
|
||||||
|
promise = certMeta
|
||||||
}
|
}
|
||||||
else if (now >= certMeta.expiresNear) {
|
else if (now >= certMeta.expiresNear) {
|
||||||
//log(autoSni.debug, "EXPIRED CERT");
|
//log(autoSni.debug, "EXPIRED CERT");
|
||||||
// we have a cert, but it's no good for the average user
|
// we have a cert, but it's no good for the average user
|
||||||
promise = autoSni.getCertificatesAsync(domain, certMeta.certs);
|
promise = autoSni.getCertificatesAsync(domain, certMeta.certs).then(autoSni.cacheCerts);
|
||||||
|
autoSni._ipc[certMeta.subject] = promise;
|
||||||
} else {
|
} else {
|
||||||
|
|
||||||
// it's time to renew the cert
|
// it's time to renew the cert
|
||||||
if (now >= certMeta.renewAt) {
|
if (certMeta.auto && now >= certMeta.renewAt) {
|
||||||
//log(autoSni.debug, "RENEWABLE CERT");
|
//log(autoSni.debug, "RENEWABLE CERT");
|
||||||
// give the cert some time (2-5 min) to be validated and replaced before trying again
|
// give the cert some time (2-5 min) to be validated and replaced before trying again
|
||||||
certMeta.renewAt = (autoSni._dbg_now || Date.now()) + (2 * MIN) + (3 * MIN * Math.random());
|
certMeta.renewAt = (autoSni._dbg_now || Date.now()) + (2 * MIN) + (3 * MIN * Math.random());
|
||||||
|
@ -127,12 +145,14 @@ module.exports.create = function (autoSni) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// promise the non-existent or expired cert
|
// promise the non-existent or expired cert
|
||||||
promise.then(autoSni.cacheCerts).then(function (certMeta) {
|
promise.then(function (certMeta) {
|
||||||
cb(null, certMeta.tlsContext);
|
cb(null, certMeta.tlsContext);
|
||||||
}, function (err) {
|
}, function (err) {
|
||||||
console.error('ERROR in le-sni-auto:');
|
console.error('ERROR in le-sni-auto:');
|
||||||
console.error(err.stack || err);
|
console.error(err.stack || err);
|
||||||
cb(err);
|
cb(err);
|
||||||
|
// don't reuse this promise
|
||||||
|
delete autoSni._ipc[certMeta && certMeta.subject ? certMeta.subject : domain];
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
103
test.js
103
test.js
|
@ -17,13 +17,19 @@ var CERT_2 = {
|
||||||
, subject: 'example.com'
|
, subject: 'example.com'
|
||||||
, altnames: ['example.com', 'www.example.com']
|
, altnames: ['example.com', 'www.example.com']
|
||||||
};
|
};
|
||||||
|
var CERT_3 = {
|
||||||
|
expiresAt: EXPIRES_AT
|
||||||
|
, subject: 'example.com'
|
||||||
|
, altnames: ['example.com', 'www.example.com']
|
||||||
|
, auto: false
|
||||||
|
};
|
||||||
|
|
||||||
var count = 0;
|
var count = 0;
|
||||||
var expectedCount = 3;
|
var expectedCount = 4;
|
||||||
var tests = [
|
var tests = [
|
||||||
function (domain, certs, cb) {
|
function (domain, certs, cb) {
|
||||||
count += 1;
|
count += 1;
|
||||||
console.log('#1 is 1 of 3');
|
console.log('#1 is 1 of 4');
|
||||||
if (!domain) {
|
if (!domain) {
|
||||||
throw new Error("should have a domain");
|
throw new Error("should have a domain");
|
||||||
}
|
}
|
||||||
|
@ -42,7 +48,7 @@ var tests = [
|
||||||
}
|
}
|
||||||
, function (domain, certs, cb) {
|
, function (domain, certs, cb) {
|
||||||
count += 1;
|
count += 1;
|
||||||
console.log('#3 is 2 of 3');
|
console.log('#3 is 2 of 4');
|
||||||
// NOTE: there's a very very small chance this will fail occasionally (if Math.random() < 0.01)
|
// NOTE: there's a very very small chance this will fail occasionally (if Math.random() < 0.01)
|
||||||
if (!certs) {
|
if (!certs) {
|
||||||
throw new Error("should have certs to renew (renewAt)");
|
throw new Error("should have certs to renew (renewAt)");
|
||||||
|
@ -52,7 +58,7 @@ var tests = [
|
||||||
}
|
}
|
||||||
, function (domain, certs, cb) {
|
, function (domain, certs, cb) {
|
||||||
count += 1;
|
count += 1;
|
||||||
console.log('#4 is 3 of 3');
|
console.log('#4 is 3 of 4');
|
||||||
if (!certs) {
|
if (!certs) {
|
||||||
throw new Error("should have certs to renew (expiresNear)");
|
throw new Error("should have certs to renew (expiresNear)");
|
||||||
}
|
}
|
||||||
|
@ -63,6 +69,19 @@ var tests = [
|
||||||
console.log('#5 should NOT be called');
|
console.log('#5 should NOT be called');
|
||||||
throw new Error("Should not call register renew a certificate with more than 10 days left");
|
throw new Error("Should not call register renew a certificate with more than 10 days left");
|
||||||
}
|
}
|
||||||
|
, function (domain, certs, cb) {
|
||||||
|
count += 1;
|
||||||
|
console.log('#6 is 4 of 4');
|
||||||
|
if (certs) {
|
||||||
|
throw new Error("should not have certs that have been uncached");
|
||||||
|
}
|
||||||
|
|
||||||
|
cb(null, CERT_3);
|
||||||
|
}
|
||||||
|
, function (/*domain, certs, cb*/) {
|
||||||
|
console.log('#7 should NOT be called');
|
||||||
|
throw new Error("Should not call register renew a non-auto certificate");
|
||||||
|
}
|
||||||
].map(function (fn) {
|
].map(function (fn) {
|
||||||
return require('bluebird').promisify(fn);
|
return require('bluebird').promisify(fn);
|
||||||
});
|
});
|
||||||
|
@ -75,10 +94,16 @@ var leSni = require('./').create({
|
||||||
, _dbg_now: START_DAY
|
, _dbg_now: START_DAY
|
||||||
});
|
});
|
||||||
|
|
||||||
|
var shared = 0;
|
||||||
|
var expectedShared = 3;
|
||||||
|
leSni.sniCallback('example.com', function (err, tlsContext) {
|
||||||
|
if (err) { throw err; }
|
||||||
|
shared += 1;
|
||||||
|
});
|
||||||
leSni.sniCallback('example.com', function (err, tlsContext) {
|
leSni.sniCallback('example.com', function (err, tlsContext) {
|
||||||
if (err) { throw err; }
|
if (err) { throw err; }
|
||||||
if (!tlsContext._fake_tls_context_) {
|
if (!tlsContext._fake_tls_context_) {
|
||||||
throw new Error("Did not return tlsContext 0");
|
throw new Error("Did not return tlsContext #1");
|
||||||
}
|
}
|
||||||
leSni.getCertificatesAsync = tests.shift();
|
leSni.getCertificatesAsync = tests.shift();
|
||||||
|
|
||||||
|
@ -88,7 +113,7 @@ leSni.sniCallback('example.com', function (err, tlsContext) {
|
||||||
leSni.sniCallback('example.com', function (err, tlsContext) {
|
leSni.sniCallback('example.com', function (err, tlsContext) {
|
||||||
if (err) { throw err; }
|
if (err) { throw err; }
|
||||||
if (!tlsContext._fake_tls_context_) {
|
if (!tlsContext._fake_tls_context_) {
|
||||||
throw new Error("Did not return tlsContext 1");
|
throw new Error("Did not return tlsContext #2");
|
||||||
}
|
}
|
||||||
leSni.getCertificatesAsync = tests.shift();
|
leSni.getCertificatesAsync = tests.shift();
|
||||||
|
|
||||||
|
@ -97,10 +122,14 @@ leSni.sniCallback('example.com', function (err, tlsContext) {
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
leSni.sniCallback('www.example.com', function (err, tlsContext) {
|
||||||
|
if (err) { throw err; }
|
||||||
|
shared += 1;
|
||||||
|
});
|
||||||
leSni.sniCallback('example.com', function (err, tlsContext) {
|
leSni.sniCallback('example.com', function (err, tlsContext) {
|
||||||
if (err) { throw err; }
|
if (err) { throw err; }
|
||||||
if (!tlsContext._fake_tls_context_) {
|
if (!tlsContext._fake_tls_context_) {
|
||||||
throw new Error("Did not return tlsContext 2");
|
throw new Error("Did not return tlsContext #3");
|
||||||
}
|
}
|
||||||
leSni.getCertificatesAsync = tests.shift();
|
leSni.getCertificatesAsync = tests.shift();
|
||||||
|
|
||||||
|
@ -109,33 +138,67 @@ leSni.sniCallback('example.com', function (err, tlsContext) {
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
leSni.sniCallback('example.com', function (err, tlsContext) {
|
leSni.sniCallback('www.example.com', function (err, tlsContext) {
|
||||||
|
if (err) { throw err; }
|
||||||
|
shared += 1;
|
||||||
|
});
|
||||||
|
leSni.sniCallback('www.example.com', function (err, tlsContext) {
|
||||||
if (err) { throw err; }
|
if (err) { throw err; }
|
||||||
if (!tlsContext._fake_tls_context_) {
|
if (!tlsContext._fake_tls_context_) {
|
||||||
throw new Error("Did not return tlsContext 2");
|
throw new Error("Did not return tlsContext #4");
|
||||||
}
|
}
|
||||||
leSni.getCertificatesAsync = tests.shift();
|
leSni.getCertificatesAsync = tests.shift();
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
leSni.sniCallback('example.com', function (err, tlsContext) {
|
leSni.sniCallback('www.example.com', function (err, tlsContext) {
|
||||||
if (err) { throw err; }
|
if (err) { throw err; }
|
||||||
if (!tlsContext._fake_tls_context_) {
|
if (!tlsContext._fake_tls_context_) {
|
||||||
throw new Error("Did not return tlsContext 2");
|
throw new Error("Did not return tlsContext #5");
|
||||||
}
|
}
|
||||||
|
leSni.uncacheCerts({
|
||||||
|
subject: 'example.com'
|
||||||
|
, altnames: ['example.com', 'www.example.com']
|
||||||
|
});
|
||||||
|
leSni.getCertificatesAsync = tests.shift();
|
||||||
|
|
||||||
if (expectedCount === count && !tests.length) {
|
|
||||||
console.log('PASS');
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
throw new Error("only " + count + " of the register getCertificate were called");
|
|
||||||
|
|
||||||
|
leSni.sniCallback('example.com', function (err, tlsContext) {
|
||||||
|
if (err) { throw err; }
|
||||||
|
if (!tlsContext._fake_tls_context_) {
|
||||||
|
throw new Error("Did not return tlsContext #6");
|
||||||
|
}
|
||||||
|
leSni.getCertificatesAsync = tests.shift();
|
||||||
|
|
||||||
|
leSni._dbg_now = RENEWABLE_DAY;
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
leSni.sniCallback('example.com', function (err, tlsContext) {
|
||||||
|
if (!tlsContext._fake_tls_context_) {
|
||||||
|
throw new Error("Did not return tlsContext #7");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (expectedCount !== count) {
|
||||||
|
throw new Error("getCertificate only called " + count + " times");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (expectedShared !== shared) {
|
||||||
|
throw new Error("wrongly used only " + shared + " shared promises");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (tests.length) {
|
||||||
|
throw new Error("some test functions not run");
|
||||||
|
}
|
||||||
|
|
||||||
|
console.log('PASS');
|
||||||
|
});
|
||||||
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
Loading…
Reference in New Issue