coolaj86/le-sni-auto.js
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: coolaj86:master
Branches Tags
coolaj86:master
coolaj86:v2.1.9
coolaj86:v2.1.8
coolaj86:v2.1.7
coolaj86:v2.1.6
coolaj86:v2.1.5
coolaj86:v2.1.4
coolaj86:v2.1.3
coolaj86:v2.1.2
coolaj86:v2.0.1
coolaj86:v2.0.0
..
compare: coolaj86:v2.0.1
Branches Tags
coolaj86:master
coolaj86:v2.1.9
coolaj86:v2.1.8
coolaj86:v2.1.7
coolaj86:v2.1.6
coolaj86:v2.1.5
coolaj86:v2.1.4
coolaj86:v2.1.3
coolaj86:v2.1.2
coolaj86:v2.0.1
coolaj86:v2.0.0

No commits in common. "master" and "v2.0.1" have entirely different histories.
master ... v2.0.1

5 changed files with 61 additions and 178 deletions
Show Stats Expand all files Collapse all files

52
README.md
View File

@ -1,8 +1,6 @@
le-sni-auto
===========
| Sponsored by [ppl](https://ppl.family)
An auto-sni strategy for registering and renewing letsencrypt certificates using SNICallback.
This does a couple of rather simple things:
@ -31,8 +29,8 @@ With node-letsencrypt
var leSni = require('le-sni-auto').create({
renewWithin: 14 * 24 * 60 * 60 1000 // do not renew more than 14 days before expiration
, renewBy: 10 * 24 * 60 * 60 1000 // do not wait more than 10 days before expiration
renewWithin: 10 * 24 * 60 * 60 1000 // do not renew more than 10 days before expiration
, renewBy: 5 * 24 * 60 * 60 1000 // do not wait more than 5 days before expiration
, tlsOptions: {
rejectUnauthorized: true // These options will be used with tls.createSecureContext()
@ -64,7 +62,9 @@ http.createServer(le.middleware(redirectHttps));
var app = require('express')();
https.createServer(le.tlsOptions, le.middleware(app)).listen(443);
var httpsOptions = { SNICallback: le.sni.callback };
httpsOptions = require('localhost.daplie.com-certificates').merge(httpsOptions);
https.createServer(dummyCerts, le.middleware(app)).listen(443);
```
You can also provide a thunk-style `getCertificates(domain, certs, cb)`.
@ -78,8 +78,8 @@ Standalone
var leSni = require('le-sni-auto').create({
renewWithin: 14 * 24 * 60 * 60 1000 // do not renew prior to 10 days before expiration
, renewBy: 10 * 24 * 60 * 60 1000 // do not wait more than 5 days before expiration
renewWithin: 10 * 24 * 60 * 60 1000 // do not renew prior to 10 days before expiration
, renewBy: 5 * 24 * 60 * 60 1000 // do not wait more than 5 days before expiration
// key (privkey.pem) and cert (cert.pem + chain.pem) will be provided by letsencrypt
, tlsOptions: { rejectUnauthorized: true, requestCert: false, ca: null, crl: null }
@ -92,11 +92,13 @@ var leSni = require('le-sni-auto').create({
var tlsOptions = {
// some default certificates that work with localhost
// (because default certificates are required as a fallback)
var httpsOptions = require('localhost.daplie.com-certificates').merge({
SNICallback: leSni.sniCallback
};
});
https.createServer(tlsOptions, app);
https.createServer(httpsOptions, app);
```
You can also provide a thunk-style `getCertificates(domain, certs, cb)`.
@ -110,7 +112,6 @@ API
* `renewBy` (default 2 days, min 12 hours)
* `sniCallback(domain, cb)`
* `cacheCerts(certs)`
* `uncacheDomain(domain)`
.renewWithin
-----------
@ -139,22 +140,22 @@ You would set this to `10 * 24 * 60 * 60 * 1000`.
.sniCallback()
-----------
This gets passed to `https.createServer(tlsOptions, app)` as `tlsOptions.SNICallback`.
This gets passed to `https.createServer(httpsOptions, app)` as `httpsOptions.SNICallback`.
```javascript
var leSni = require('le-sni-auto').create({
renewWithin: 14 * 24 * 60 * 60 1000
renewWithin: 10 * 24 * 60 * 60 1000
});
var tlsOptions = {
var httpsOptions = require('localhost.daplie.com-certificates').merge({
SNICallback: leSni.sniCallback
};
});
function app(req, res) {
res.end("Hello, World!");
}
https.createServer(tlsOptions, app);
https.createServer(httpsOptions, app);
```
.cacheCerts()
@ -163,8 +164,7 @@ https.createServer(tlsOptions, app);
Manually load a certificate into the cache.
This is useful in a cluster environment where the master
may wish to inform multiple workers of a new or renewed certificate,
or to satisfy tls-sni-01 challenges.
may wish to inform multiple workers of a new or renewed certificate.
```
leSni.cacheCerts({
@ -174,21 +174,5 @@ leSni.cacheCerts({
, altnames: [ 'example.com', 'www.example.com' ]
, issuedAt: 1470975565000
, expiresAt: 1478751565000
, auto: true
});
```
.uncacheCerts()
-----------
Remove cached certificates from the cache.
This is useful once a tls-sni-01 challenge has been satisfied.
```
leSni.uncacheCerts({
, subject: 'example.com'
, altnames: [ 'example.com', 'www.example.com' ]
});
```

63
index.js
View File

@ -1,38 +1,29 @@
'use strict';
var DAY = 24 * 60 * 60 * 1000;
var HOUR = 60 * 60 * 1000;
var MIN = 60 * 1000;
var defaults = {
// don't renew before the renewWithin period
renewWithin: 30 * DAY
renewWithin: 7 * DAY
, _renewWithinMin: 3 * DAY
// renew before the renewBy period
, renewBy: 21 * DAY
, renewBy: 2 * DAY
, _renewByMin: Math.floor(DAY / 2)
// just to account for clock skew really
, _dropDead: 5 * MIN
};
var promisify = require('util').promisify;
if (!promisify) {
try {
promisify = require('bluebird').promisify;
} catch(e) {
console.error("You're running an older version of node that doesn't have 'promisify'. Please run 'npm install bluebird --save'.");
}
}
// autoSni = { renewWithin, renewBy, getCertificates, tlsOptions, _dbg_now }
module.exports.create = function (autoSni) {
if (!autoSni.getCertificatesAsync) { autoSni.getCertificatesAsync = promisify(autoSni.getCertificates); }
if (!autoSni.getCertificatesAsync) { autoSni.getCertificatesAsync = require('bluebird').promisify(autoSni.getCertificates); }
if (!autoSni.renewWithin) { autoSni.renewWithin = autoSni.notBefore || defaults.renewWithin; }
if (autoSni.renewWithin < defaults._renewWithinMin) {
throw new Error("options.renewWithin should be at least " + (defaults._renewWithinMin / DAY) + " days");
throw new Error("options.renewWithin should be at least 3 days");
}
if (!autoSni.renewBy) { autoSni.renewBy = autoSni.notAfter || defaults.renewBy; }
if (!autoSni.renewBy) { autoSni.renewBy = autoSni.notBefore || defaults.renewBy; }
if (autoSni.renewBy < defaults._renewByMin) {
throw new Error("options.renewBy should be at least " + (defaults._renewBy / HOUR) + " hours");
throw new Error("options.renewBy should be at least 12 hours");
}
if (!autoSni.tlsOptions) { autoSni.tlsOptions = autoSni.httpsOptions || {}; }
@ -72,8 +63,7 @@ module.exports.create = function (autoSni) {
certs: certs
, tlsContext: 'string' === typeof certs.cert && tls.createSecureContext({
key: certs.privkey
// backwards/forwards compat
, cert: (certs.cert||'').replace(/[\r\n]+$/, '') + '\r\n' + certs.chain
, cert: certs.cert + certs.chain
, rejectUnauthorized: autoSni.tlsOptions.rejectUnauthorized
, requestCert: autoSni.tlsOptions.requestCert // request peer verification
@ -82,7 +72,6 @@ module.exports.create = function (autoSni) {
}) || { '_fake_tls_context_': true }
, subject: certs.subject
, auto: 'undefined' === typeof certs.auto ? true : certs.auto
// stagger renewal time by a little bit of randomness
, renewAt: (certs.expiresAt - (autoSni.renewWithin - (autoSni._renewWindow * Math.random())))
// err just barely on the side of safety
@ -101,23 +90,13 @@ module.exports.create = function (autoSni) {
, uncacheCerts: function (certs) {
certs.altnames.forEach(function (domain) {
delete autoSni._ipc[domain];
});
delete autoSni._ipc[certs.subject];
}
// automate certificate registration on request
, sniCallback: function (domain, cb) {
var certMeta = autoSni._ipc[domain];
var promise;
var now = (autoSni._dbg_now || Date.now());
if (certMeta && !certMeta.then && certMeta.subject !== domain) {
if (certMeta && certMeta.subject !== domain) {
//log(autoSni.debug, "LINK CERT", domain);
certMeta = autoSni._ipc[certMeta.subject];
}
@ -125,31 +104,21 @@ module.exports.create = function (autoSni) {
if (!certMeta) {
//log(autoSni.debug, "NO CERT", domain);
// we don't have a cert and must get one
promise = autoSni.getCertificatesAsync(domain, null).then(autoSni.cacheCerts);
autoSni._ipc[domain] = promise;
}
else if (certMeta.then) {
//log(autoSni.debug, "PROMISED CERT", domain);
// we are already getting a cert
promise = certMeta;
promise = autoSni.getCertificatesAsync(domain, null);
}
else if (now >= certMeta.expiresNear) {
//log(autoSni.debug, "EXPIRED CERT");
// we have a cert, but it's no good for the average user
promise = autoSni.getCertificatesAsync(domain, certMeta.certs).then(autoSni.cacheCerts);
autoSni._ipc[certMeta.subject] = promise;
promise = autoSni.getCertificatesAsync(domain, certMeta.certs);
} else {
// it's time to renew the cert
if (certMeta.auto && now >= certMeta.renewAt) {
if (now >= certMeta.renewAt) {
//log(autoSni.debug, "RENEWABLE CERT");
// give the cert some time (2-5 min) to be validated and replaced before trying again
certMeta.renewAt = (autoSni._dbg_now || Date.now()) + (2 * MIN) + (3 * MIN * Math.random());
// let the update happen in the background
autoSni.getCertificatesAsync(domain, certMeta.certs).then(autoSni.cacheCerts, function (error) {
// console.error('ERROR in le-sni-auto:');
// console.error(err.stack || err);
})
autoSni.getCertificatesAsync(domain, certMeta.certs).then(autoSni.cacheCerts);
}
// return the valid cert right away
@ -158,14 +127,12 @@ module.exports.create = function (autoSni) {
}
// promise the non-existent or expired cert
promise.then(function (certMeta) {
promise.then(autoSni.cacheCerts).then(function (certMeta) {
cb(null, certMeta.tlsContext);
}, function (err) {
// console.error('ERROR in le-sni-auto:');
// console.error(err.stack || err);
console.error('ERROR in le-sni-auto:');
console.error(err.stack || err);
cb(err);
// don't reuse this promise
delete autoSni._ipc[certMeta && certMeta.subject ? certMeta.subject : domain];
});
}

5
package-lock.json generated
View File

@ -1,5 +0,0 @@
{
"name": "le-sni-auto",
"version": "2.1.9",
"lockfileVersion": 1
}

14
package.json
View File

@ -1,11 +1,10 @@
{
"name": "le-sni-auto",
"version": "2.1.9",
"version": "2.0.1",
"description": "An auto-sni strategy for registering and renewing letsencrypt certificates using SNICallback",
"homepage": "https://git.coolaj86.com/coolaj86/le-sni-auto.js",
"main": "index.js",
"trulyOptionalDependencies": {
"bluebird": "^3.5.1"
"dependencies": {
"bluebird": "^3.4.1"
},
"devDependencies": {},
"scripts": {
@ -13,7 +12,7 @@
},
"repository": {
"type": "git",
"url": "https://git.coolaj86.com/coolaj86/le-sni-auto.js.git"
"url": "git+https://github.com/Daplie/le-sni-auto.git"
},
"keywords": [
"le-sni",
@ -27,6 +26,7 @@
"author": "AJ ONeal <coolaj86@gmail.com> (https://coolaj86.com/)",
"license": "(MIT OR Apache-2.0)",
"bugs": {
"url": "https://git.coolaj86.com/coolaj86/le-sni-auto.js/issues"
}
"url": "https://github.com/Daplie/le-sni-auto/issues"
},
"homepage": "https://github.com/Daplie/le-sni-auto#readme"
}

105
test.js
View File

@ -17,19 +17,13 @@ var CERT_2 = {
, subject: 'example.com'
, altnames: ['example.com', 'www.example.com']
};
var CERT_3 = {
expiresAt: EXPIRES_AT
, subject: 'example.com'
, altnames: ['example.com', 'www.example.com']
, auto: false
};
var count = 0;
var expectedCount = 4;
var expectedCount = 3;
var tests = [
function (domain, certs, cb) {
count += 1;
console.log('#1 is 1 of 4');
console.log('#1 is 1 of 3');
if (!domain) {
throw new Error("should have a domain");
}
@ -48,7 +42,7 @@ var tests = [
}
, function (domain, certs, cb) {
count += 1;
console.log('#3 is 2 of 4');
console.log('#3 is 2 of 3');
// NOTE: there's a very very small chance this will fail occasionally (if Math.random() < 0.01)
if (!certs) {
throw new Error("should have certs to renew (renewAt)");
@ -58,7 +52,7 @@ var tests = [
}
, function (domain, certs, cb) {
count += 1;
console.log('#4 is 3 of 4');
console.log('#4 is 3 of 3');
if (!certs) {
throw new Error("should have certs to renew (expiresNear)");
}
@ -69,24 +63,11 @@ var tests = [
console.log('#5 should NOT be called');
throw new Error("Should not call register renew a certificate with more than 10 days left");
}
, function (domain, certs, cb) {
count += 1;
console.log('#6 is 4 of 4');
if (certs) {
throw new Error("should not have certs that have been uncached");
}
cb(null, CERT_3);
}
, function (/*domain, certs, cb*/) {
console.log('#7 should NOT be called');
throw new Error("Should not call register renew a non-auto certificate");
}
].map(function (fn) {
return require('bluebird').promisify(fn);
});
// opts = { notBefore, notAfter, letsencrypt.renew, letsencrypt.register, tlsOptions }
// opts = { notBefore, notAfter, letsencrypt.renew, letsencrypt.register, httpsOptions }
var leSni = require('./').create({
notBefore: NOT_BEFORE
, notAfter: NOT_AFTER
@ -94,16 +75,10 @@ var leSni = require('./').create({
, _dbg_now: START_DAY
});
var shared = 0;
var expectedShared = 3;
leSni.sniCallback('example.com', function (err, tlsContext) {
if (err) { throw err; }
shared += 1;
});
leSni.sniCallback('example.com', function (err, tlsContext) {
if (err) { throw err; }
if (!tlsContext._fake_tls_context_) {
throw new Error("Did not return tlsContext #1");
throw new Error("Did not return tlsContext 0");
}
leSni.getCertificatesAsync = tests.shift();
@ -113,7 +88,7 @@ leSni.sniCallback('example.com', function (err, tlsContext) {
leSni.sniCallback('example.com', function (err, tlsContext) {
if (err) { throw err; }
if (!tlsContext._fake_tls_context_) {
throw new Error("Did not return tlsContext #2");
throw new Error("Did not return tlsContext 1");
}
leSni.getCertificatesAsync = tests.shift();
@ -122,14 +97,10 @@ leSni.sniCallback('example.com', function (err, tlsContext) {
leSni.sniCallback('www.example.com', function (err, tlsContext) {
if (err) { throw err; }
shared += 1;
});
leSni.sniCallback('example.com', function (err, tlsContext) {
if (err) { throw err; }
if (!tlsContext._fake_tls_context_) {
throw new Error("Did not return tlsContext #3");
throw new Error("Did not return tlsContext 2");
}
leSni.getCertificatesAsync = tests.shift();
@ -138,67 +109,33 @@ leSni.sniCallback('example.com', function (err, tlsContext) {
leSni.sniCallback('www.example.com', function (err, tlsContext) {
if (err) { throw err; }
shared += 1;
});
leSni.sniCallback('www.example.com', function (err, tlsContext) {
leSni.sniCallback('example.com', function (err, tlsContext) {
if (err) { throw err; }
if (!tlsContext._fake_tls_context_) {
throw new Error("Did not return tlsContext #4");
throw new Error("Did not return tlsContext 2");
}
leSni.getCertificatesAsync = tests.shift();
leSni.sniCallback('www.example.com', function (err, tlsContext) {
leSni.sniCallback('example.com', function (err, tlsContext) {
if (err) { throw err; }
if (!tlsContext._fake_tls_context_) {
throw new Error("Did not return tlsContext #5");
throw new Error("Did not return tlsContext 2");
}
leSni.uncacheCerts({
subject: 'example.com'
, altnames: ['example.com', 'www.example.com']
});
leSni.getCertificatesAsync = tests.shift();
if (expectedCount === count && !tests.length) {
console.log('PASS');
return;
}
leSni.sniCallback('example.com', function (err, tlsContext) {
if (err) { throw err; }
if (!tlsContext._fake_tls_context_) {
throw new Error("Did not return tlsContext #6");
}
leSni.getCertificatesAsync = tests.shift();
leSni._dbg_now = RENEWABLE_DAY;
leSni.sniCallback('example.com', function (err, tlsContext) {
if (!tlsContext._fake_tls_context_) {
throw new Error("Did not return tlsContext #7");
}
if (expectedCount !== count) {
throw new Error("getCertificate only called " + count + " times");
}
if (expectedShared !== shared) {
throw new Error("wrongly used only " + shared + " shared promises");
}
if (tests.length) {
throw new Error("some test functions not run");
}
console.log('PASS');
});
});
throw new Error("only " + count + " of the register getCertificate were called");
});
});
});
});