v2.1.9: ignore failed background refresh

support uncaching and non-automatic certificates

README.md

@@ -1,7 +1,7 @@
 le-sni-auto
 ===========
 
-**DRAFT** this is not yet published to npm
+| Sponsored by [ppl](https://ppl.family)
 
 An auto-sni strategy for registering and renewing letsencrypt certificates using SNICallback.
 
@@ -31,10 +31,10 @@ With node-letsencrypt
 
 var leSni = require('le-sni-auto').create({
 
-  notBefore: 10 * 24 * 60 * 60 1000       // do not renew more than 10 days before expiration
+  renewWithin: 14 * 24 * 60 * 60 1000     // do not renew more than 14 days before expiration
-, notAfter: 5 * 24 * 60 * 60 1000         // do not wait more than 5 days before expiration
+, renewBy: 10 * 24 * 60 * 60 1000         // do not wait more than 10 days before expiration
 
-, httpsOptions: {
+, tlsOptions: {
     rejectUnauthorized: true              // These options will be used with tls.createSecureContext()
   , requestCert: false                    // in addition to key (privkey.pem) and cert (cert.pem + chain.pem),
   , ca: null                              // which are provided by letsencrypt
@@ -58,14 +58,13 @@ var le = require('letsencrypt').create({
 
 
 
+var redirectHttps = require('redirect-https').create();
+http.createServer(le.middleware(redirectHttps));
+
+
+
 var app = require('express')();
-var httpsOptions = { SNICallback: le.sni.callback };
+https.createServer(le.tlsOptions, le.middleware(app)).listen(443);
-
-httpsOptions = require('localhost.daplie.com-certificates').merge(httpsOptions);
-
-
-http.createServer(le.handleAcmeOrRedirectToHttps());
-https.createServer(dummyCerts, le.handleAcmeOrUse(app)).listen(443);
 ```
 
 You can also provide a thunk-style `getCertificates(domain, certs, cb)`.
@@ -77,12 +76,13 @@ Standalone
 'use strict';
 
 
-var le = require('letsencrypt').create({
+
-  notBefore: 10 * 24 * 60 * 60 1000       // do not renew prior to 10 days before expiration
+var leSni = require('le-sni-auto').create({
-, notAfter: 5 * 24 * 60 * 60 1000         // do not wait more than 5 days before expiration
+  renewWithin: 14 * 24 * 60 * 60 1000       // do not renew prior to 10 days before expiration
+, renewBy: 10 * 24 * 60 * 60 1000         // do not wait more than 5 days before expiration
 
   // key (privkey.pem) and cert (cert.pem + chain.pem) will be provided by letsencrypt
-, httpsOptions: { rejectUnauthorized: true, requestCert: false, ca: null, crl: null }
+, tlsOptions: { rejectUnauthorized: true, requestCert: false, ca: null, crl: null }
 
 , getCertificatesAsync: function (domain, certs) {
     // return a promise with an object with the following keys:
@@ -92,11 +92,103 @@ var le = require('letsencrypt').create({
 
 
 
+var tlsOptions = {
+  SNICallback: leSni.sniCallback
+};
 
-var dummyCerts = require('localhost.daplie.com-certificates');
+https.createServer(tlsOptions, app);
-dummyCerts.SNICallback = le.sni.sniCallback;
-
-https.createServer(dummyCerts, );
 ```
 
 You can also provide a thunk-style `getCertificates(domain, certs, cb)`.
+
+API
+===
+
+* create(options)
+  * `getCertificates(domain, certs, cb)` or `getCertificatesAsync(domain, certs)`
+  * `renewWithin` (default 7 days, min 3 days)
+  * `renewBy` (default 2 days, min 12 hours)
+* `sniCallback(domain, cb)`
+* `cacheCerts(certs)`
+* `uncacheDomain(domain)`
+
+.renewWithin
+-----------
+
+Specifies the maximum amount of time (in ms) before
+the certificate expires to renew it.
+
+Say the cert expires in 90 days and you would like
+to renew, **at earliest** 10 days before it expires.
+
+You would set this to `10 * 24 * 60 * 60 * 1000`.
+
+.renewBy
+--------
+
+Specifies the maximum amount of time (in ms) before
+the certificate expires to renew it.
+
+Say the cert expires in 90 days and you would like
+to renew, **at latest** 10 days before it expires.
+
+You would set this to `10 * 24 * 60 * 60 * 1000`.
+
+**MUST** be **less than** `renewWithin`.
+
+.sniCallback()
+-----------
+
+This gets passed to `https.createServer(tlsOptions, app)` as `tlsOptions.SNICallback`.
+
+```javascript
+var leSni = require('le-sni-auto').create({
+  renewWithin: 14 * 24 * 60 * 60 1000
+});
+
+var tlsOptions = {
+  SNICallback: leSni.sniCallback
+};
+
+function app(req, res) {
+  res.end("Hello, World!");
+}
+
+https.createServer(tlsOptions, app);
+```
+
+.cacheCerts()
+-----------
+
+Manually load a certificate into the cache.
+
+This is useful in a cluster environment where the master
+may wish to inform multiple workers of a new or renewed certificate,
+or to satisfy tls-sni-01 challenges.
+
+```
+leSni.cacheCerts({
+, privkey: '<<privkey.pem>>'
+, cert: '<<cert.pem + chain.pem>>'
+, subject: 'example.com'
+, altnames: [ 'example.com', 'www.example.com' ]
+, issuedAt: 1470975565000
+, expiresAt: 1478751565000
+, auto: true
+});
+```
+
+.uncacheCerts()
+-----------
+
+Remove cached certificates from the cache.
+
+This is useful once a tls-sni-01 challenge has been satisfied.
+
+```
+leSni.uncacheCerts({
+, subject: 'example.com'
+, altnames: [ 'example.com', 'www.example.com' ]
+});
+```
+

index.js

@@ -1,21 +1,48 @@
 'use strict';
 
-// autoSni = { notBefore, notAfter, getCertificates, httpsOptions, _dbg_now }
+var DAY = 24 * 60 * 60 * 1000;
+var HOUR = 60 * 60 * 1000;
+var MIN = 60 * 1000;
+var defaults = {
+  // don't renew before the renewWithin period
+  renewWithin: 30 * DAY
+, _renewWithinMin: 3 * DAY
+  // renew before the renewBy period
+, renewBy: 21 * DAY
+, _renewByMin: Math.floor(DAY / 2)
+  // just to account for clock skew really
+, _dropDead: 5 * MIN
+};
+var promisify = require('util').promisify;
+if (!promisify) {
+  try {
+    promisify = require('bluebird').promisify;
+  } catch(e) {
+    console.error("You're running an older version of node that doesn't have 'promisify'. Please run 'npm install bluebird --save'.");
+  }
+}
+
+// autoSni = { renewWithin, renewBy, getCertificates, tlsOptions, _dbg_now }
 module.exports.create = function (autoSni) {
 
-  var DAY = 24 * 60 * 60 * 1000;
+  if (!autoSni.getCertificatesAsync) { autoSni.getCertificatesAsync = promisify(autoSni.getCertificates); }
-  var MIN = 60 * 1000;
+  if (!autoSni.renewWithin) { autoSni.renewWithin = autoSni.notBefore || defaults.renewWithin; }
-  if (!autoSni.getCertificatesAsync) { autoSni.getCertificatesAsync = require('bluebird').promisify(autoSni.getCertificates); }
+  if (autoSni.renewWithin < defaults._renewWithinMin) {
-  if (!autoSni.notBefore) { throw new Error("must supply options.notBefore (and options.notAfter)"); }
+    throw new Error("options.renewWithin should be at least " + (defaults._renewWithinMin / DAY) + " days");
-  if (!autoSni.notAfter) { autoSni.notAfter = autoSni.notBefore - (3 * DAY); }
+  }
-  if (!autoSni.httpsOptions) { autoSni.httpsOptions = {}; }
+  if (!autoSni.renewBy) { autoSni.renewBy = autoSni.notAfter || defaults.renewBy; }
+  if (autoSni.renewBy < defaults._renewByMin) {
+    throw new Error("options.renewBy should be at least " + (defaults._renewBy / HOUR) + " hours");
+  }
+  if (!autoSni.tlsOptions) { autoSni.tlsOptions = autoSni.httpsOptions || {}; }
 
 
 
 
+  autoSni._dropDead = defaults._dropDead;
   //autoSni.renewWithin = autoSni.notBefore;                          // i.e. 15 days
-  autoSni.renewWindow = autoSni.notBefore - autoSni.notAfter;      // i.e. 1 day
+  autoSni._renewWindow = autoSni.renewWithin - autoSni.renewBy;      // i.e. 1 day
-  //autoSni.renewRatio = autoSni.notBefore = autoSni.renewWindow;  // i.e. 1/15 (6.67%)
+  //autoSni.renewRatio = autoSni.notBefore = autoSni._renewWindow;   // i.e. 1/15 (6.67%)
 
 
 
@@ -32,31 +59,34 @@ module.exports.create = function (autoSni) {
 
     // in-process cache
     _ipc: {}
-    // just to account for clock skew
+  , getOptions: function () {
-  , _fiveMin: 5 * MIN
+      return JSON.parse(JSON.stringify(defaults));
+    }
 
 
 
 
     // cache and format incoming certs
-  , _cacheCerts: function (certs) {
+  , cacheCerts: function (certs) {
       var meta = {
         certs: certs
       , tlsContext: 'string' === typeof certs.cert && tls.createSecureContext({
           key: certs.privkey
-        , cert: certs.cert + certs.chain
+          // backwards/forwards compat
-        , rejectUnauthorized: autoSni.httpsOptions.rejectUnauthorized
+        , cert: (certs.cert||'').replace(/[\r\n]+$/, '') + '\r\n' + certs.chain
+        , rejectUnauthorized: autoSni.tlsOptions.rejectUnauthorized
 
-        , requestCert: autoSni.httpsOptions.requestCert  // request peer verification
+        , requestCert: autoSni.tlsOptions.requestCert  // request peer verification
-        , ca: autoSni.httpsOptions.ca                    // this chain is for incoming peer connctions
+        , ca: autoSni.tlsOptions.ca                    // this chain is for incoming peer connctions
-        , crl: autoSni.httpsOptions.crl                  // this crl is for incoming peer connections
+        , crl: autoSni.tlsOptions.crl                  // this crl is for incoming peer connections
         }) || { '_fake_tls_context_': true }
 
       , subject: certs.subject
+      , auto: 'undefined' === typeof certs.auto ? true : certs.auto
         // stagger renewal time by a little bit of randomness
-      , renewAt: (certs.expiresAt - (autoSni.notBefore - (autoSni.renewWindow * Math.random())))
+      , renewAt: (certs.expiresAt - (autoSni.renewWithin - (autoSni._renewWindow * Math.random())))
         // err just barely on the side of safety
-      , expiresNear: certs.expiresAt - autoSni._fiveMin
+      , expiresNear: certs.expiresAt - autoSni._dropDead
       };
       var link = { subject: certs.subject };
 
@@ -71,13 +101,23 @@ module.exports.create = function (autoSni) {
 
 
 
+  , uncacheCerts: function (certs) {
+      certs.altnames.forEach(function (domain) {
+        delete autoSni._ipc[domain];
+      });
+      delete autoSni._ipc[certs.subject];
+    }
+
+
+
+
     // automate certificate registration on request
   , sniCallback: function (domain, cb) {
       var certMeta = autoSni._ipc[domain];
       var promise;
       var now = (autoSni._dbg_now || Date.now());
 
-      if (certMeta && certMeta.subject !== domain) {
+      if (certMeta && !certMeta.then && certMeta.subject !== domain) {
         //log(autoSni.debug, "LINK CERT", domain);
         certMeta = autoSni._ipc[certMeta.subject];
       }
@@ -85,21 +125,31 @@ module.exports.create = function (autoSni) {
       if (!certMeta) {
         //log(autoSni.debug, "NO CERT", domain);
         // we don't have a cert and must get one
-        promise = autoSni.getCertificatesAsync(domain, null);
+        promise = autoSni.getCertificatesAsync(domain, null).then(autoSni.cacheCerts);
+        autoSni._ipc[domain] = promise;
+      }
+      else if (certMeta.then) {
+        //log(autoSni.debug, "PROMISED CERT", domain);
+        // we are already getting a cert
+        promise = certMeta;
       }
       else if (now >= certMeta.expiresNear) {
         //log(autoSni.debug, "EXPIRED CERT");
         // we have a cert, but it's no good for the average user
-        promise = autoSni.getCertificatesAsync(domain, certMeta.certs);
+        promise = autoSni.getCertificatesAsync(domain, certMeta.certs).then(autoSni.cacheCerts);
+        autoSni._ipc[certMeta.subject] = promise;
       } else {
 
         // it's time to renew the cert
-        if (now >= certMeta.renewAt) {
+        if (certMeta.auto && now >= certMeta.renewAt) {
           //log(autoSni.debug, "RENEWABLE CERT");
           // give the cert some time (2-5 min) to be validated and replaced before trying again
           certMeta.renewAt = (autoSni._dbg_now || Date.now()) + (2 * MIN) + (3 * MIN * Math.random());
           // let the update happen in the background
-          autoSni.getCertificatesAsync(domain, certMeta.certs).then(autoSni._cacheCerts);
+          autoSni.getCertificatesAsync(domain, certMeta.certs).then(autoSni.cacheCerts, function (error) {
+            // console.error('ERROR in le-sni-auto:');
+            // console.error(err.stack || err);
+          })
         }
 
         // return the valid cert right away
@@ -108,12 +158,14 @@ module.exports.create = function (autoSni) {
       }
 
       // promise the non-existent or expired cert
-      promise.then(autoSni._cacheCerts).then(function (certMeta) {
+      promise.then(function (certMeta) {
         cb(null, certMeta.tlsContext);
       }, function (err) {
-        console.error('ERROR in le-sni-auto:');
+        // console.error('ERROR in le-sni-auto:');
-        console.error(err.stack || err);
+        // console.error(err.stack || err);
         cb(err);
+        // don't reuse this promise
+        delete autoSni._ipc[certMeta && certMeta.subject ? certMeta.subject : domain];
       });
     }
 

package-lock.json

@@ -0,0 +1,5 @@
+{
+  "name": "le-sni-auto",
+  "version": "2.1.9",
+  "lockfileVersion": 1
+}

package.json

@@ -1,10 +1,11 @@
 {
   "name": "le-sni-auto",
-  "version": "2.0.0",
+  "version": "2.1.9",
   "description": "An auto-sni strategy for registering and renewing letsencrypt certificates using SNICallback",
+  "homepage": "https://git.coolaj86.com/coolaj86/le-sni-auto.js",
   "main": "index.js",
-  "dependencies": {
+  "trulyOptionalDependencies": {
-    "bluebird": "^3.4.1"
+    "bluebird": "^3.5.1"
   },
   "devDependencies": {},
   "scripts": {
@@ -12,7 +13,7 @@
   },
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/Daplie/le-sni-auto.git"
+    "url": "https://git.coolaj86.com/coolaj86/le-sni-auto.js.git"
   },
   "keywords": [
     "le-sni",
@@ -26,7 +27,6 @@
   "author": "AJ ONeal <coolaj86@gmail.com> (https://coolaj86.com/)",
   "license": "(MIT OR Apache-2.0)",
   "bugs": {
-    "url": "https://github.com/Daplie/le-sni-auto/issues"
+    "url": "https://git.coolaj86.com/coolaj86/le-sni-auto.js/issues"
-  },
+  }
-  "homepage": "https://github.com/Daplie/le-sni-auto#readme"
 }

test.js

@@ -17,13 +17,19 @@ var CERT_2 = {
 , subject: 'example.com'
 , altnames: ['example.com', 'www.example.com']
 };
+var CERT_3 = {
+  expiresAt: EXPIRES_AT
+, subject: 'example.com'
+, altnames: ['example.com', 'www.example.com']
+, auto: false
+};
 
 var count = 0;
-var expectedCount = 3;
+var expectedCount = 4;
 var tests = [
   function (domain, certs, cb) {
     count += 1;
-    console.log('#1 is 1 of 3');
+    console.log('#1 is 1 of 4');
     if (!domain) {
       throw new Error("should have a domain");
     }
@@ -42,7 +48,7 @@ var tests = [
   }
 , function (domain, certs, cb) {
     count += 1;
-    console.log('#3 is 2 of 3');
+    console.log('#3 is 2 of 4');
     // NOTE: there's a very very small chance this will fail occasionally (if Math.random() < 0.01)
     if (!certs) {
       throw new Error("should have certs to renew (renewAt)");
@@ -52,7 +58,7 @@ var tests = [
   }
 , function (domain, certs, cb) {
     count += 1;
-    console.log('#4 is 3 of 3');
+    console.log('#4 is 3 of 4');
     if (!certs) {
       throw new Error("should have certs to renew (expiresNear)");
     }
@@ -63,11 +69,24 @@ var tests = [
     console.log('#5 should NOT be called');
     throw new Error("Should not call register renew a certificate with more than 10 days left");
   }
+, function (domain, certs, cb) {
+    count += 1;
+    console.log('#6 is 4 of 4');
+    if (certs) {
+      throw new Error("should not have certs that have been uncached");
+    }
+
+    cb(null, CERT_3);
+  }
+, function (/*domain, certs, cb*/) {
+    console.log('#7 should NOT be called');
+    throw new Error("Should not call register renew a non-auto certificate");
+  }
 ].map(function (fn) {
   return require('bluebird').promisify(fn);
 });
 
-// opts = { notBefore, notAfter, letsencrypt.renew, letsencrypt.register, httpsOptions }
+// opts = { notBefore, notAfter, letsencrypt.renew, letsencrypt.register, tlsOptions }
 var leSni = require('./').create({
   notBefore: NOT_BEFORE
 , notAfter: NOT_AFTER
@@ -75,10 +94,16 @@ var leSni = require('./').create({
 , _dbg_now: START_DAY
 });
 
+var shared = 0;
+var expectedShared = 3;
+leSni.sniCallback('example.com', function (err, tlsContext) {
+  if (err) { throw err; }
+  shared += 1;
+});
 leSni.sniCallback('example.com', function (err, tlsContext) {
   if (err) { throw err; }
   if (!tlsContext._fake_tls_context_) {
-    throw new Error("Did not return tlsContext 0");
+    throw new Error("Did not return tlsContext #1");
   }
   leSni.getCertificatesAsync = tests.shift();
 
@@ -88,7 +113,63 @@ leSni.sniCallback('example.com', function (err, tlsContext) {
   leSni.sniCallback('example.com', function (err, tlsContext) {
     if (err) { throw err; }
     if (!tlsContext._fake_tls_context_) {
-      throw new Error("Did not return tlsContext 1");
+      throw new Error("Did not return tlsContext #2");
+    }
+    leSni.getCertificatesAsync = tests.shift();
+
+    leSni._dbg_now = RENEWABLE_DAY;
+
+
+
+
+    leSni.sniCallback('www.example.com', function (err, tlsContext) {
+      if (err) { throw err; }
+      shared += 1;
+    });
+    leSni.sniCallback('example.com', function (err, tlsContext) {
+      if (err) { throw err; }
+      if (!tlsContext._fake_tls_context_) {
+        throw new Error("Did not return tlsContext #3");
+      }
+      leSni.getCertificatesAsync = tests.shift();
+
+      leSni._dbg_now = EXPIRES_AT;
+
+
+
+
+      leSni.sniCallback('www.example.com', function (err, tlsContext) {
+        if (err) { throw err; }
+        shared += 1;
+      });
+      leSni.sniCallback('www.example.com', function (err, tlsContext) {
+        if (err) { throw err; }
+        if (!tlsContext._fake_tls_context_) {
+          throw new Error("Did not return tlsContext #4");
+        }
+        leSni.getCertificatesAsync = tests.shift();
+
+
+
+
+        leSni.sniCallback('www.example.com', function (err, tlsContext) {
+          if (err) { throw err; }
+          if (!tlsContext._fake_tls_context_) {
+            throw new Error("Did not return tlsContext #5");
+          }
+          leSni.uncacheCerts({
+            subject: 'example.com'
+          , altnames: ['example.com', 'www.example.com']
+          });
+          leSni.getCertificatesAsync = tests.shift();
+
+
+
+
+          leSni.sniCallback('example.com', function (err, tlsContext) {
+            if (err) { throw err; }
+            if (!tlsContext._fake_tls_context_) {
+              throw new Error("Did not return tlsContext #6");
             }
             leSni.getCertificatesAsync = tests.shift();
 
@@ -98,44 +179,26 @@ leSni.sniCallback('example.com', function (err, tlsContext) {
 
 
             leSni.sniCallback('example.com', function (err, tlsContext) {
-      if (err) { throw err; }
               if (!tlsContext._fake_tls_context_) {
-        throw new Error("Did not return tlsContext 2");
+                throw new Error("Did not return tlsContext #7");
-      }
+              }
-      leSni.getCertificatesAsync = tests.shift();
+
-
+              if (expectedCount !== count) {
-      leSni._dbg_now = EXPIRES_AT;
+                throw new Error("getCertificate only called " + count + " times");
-
+              }
-
+
-
+              if (expectedShared !== shared) {
-
+                throw new Error("wrongly used only " + shared + " shared promises");
-      leSni.sniCallback('example.com', function (err, tlsContext) {
+              }
-        if (err) { throw err; }
+
-        if (!tlsContext._fake_tls_context_) {
+              if (tests.length) {
-          throw new Error("Did not return tlsContext 2");
+                throw new Error("some test functions not run");
-        }
-        leSni.getCertificatesAsync = tests.shift();
-
-
-
-
-        leSni.sniCallback('example.com', function (err, tlsContext) {
-          if (err) { throw err; }
-          if (!tlsContext._fake_tls_context_) {
-            throw new Error("Did not return tlsContext 2");
               }
 
-          if (expectedCount === count && !tests.length) {
               console.log('PASS');
-            return;
+            });
-          }
+          });
-
+        });
-          throw new Error("only " + count + " of the register getCertificate were called");
-        });
-
-
-
-
       });
     });
   });