greenlock-express.js/lib/sni-callback.js

'use strict';

var crypto = require('crypto');
var tls = require('tls');

module.exports.create = function (opts) {
  if (opts.debug) {
    console.log("[LEX] creating sniCallback", JSON.stringify(opts, null, '  '));
  }
  var ipc = {}; // in-process cache

  if (!opts) { throw new Error("requires opts to be an object"); }
  if (!opts.letsencrypt) { throw new Error("requires opts.letsencrypt to be a letsencrypt instance"); }

  if (!opts.lifetime) { opts.lifetime = 90 * 24 * 60 * 60 * 1000; }
  if (!opts.failedWait) { opts.failedWait = 5 * 60 * 1000; }
  if (!opts.renewWithin) { opts.renewWithin = 3 * 24 * 60 * 60 * 1000; }
  if (!opts.memorizeFor) { opts.memorizeFor = 1 * 24 * 60 * 60 * 1000; }

  if (!opts.approveRegistration) { opts.approveRegistration = function (hostname, cb) { cb(null, null); }; }
  if (!opts.handleRenewFailure) { opts.handleRenewFailure = function (/*err, hostname, certInfo*/) {}; }

  function assignBestByDates(now, certInfo) {
    certInfo = certInfo || { loadedAt: now, expiresAt: 0, issuedAt: 0, lifetime: 0 };

    var rnds = crypto.randomBytes(3)[0];
    var rnd1 = ((rnds[0] + 1) / 257);
    var rnd2 = ((rnds[1] + 1) / 257);
    var rnd3 = ((rnds[2] + 1) / 257);

    // Stagger randomly by plus 0% to 25% to prevent all caches expiring at once
    var memorizeFor = Math.floor(opts.memorizeFor + ((opts.memorizeFor / 4) * rnd1));
    // Stagger randomly to renew between n and 2n days before renewal is due
    // this *greatly* reduces the risk of multiple cluster processes renewing the same domain at once
    var bestIfUsedBy = certInfo.expiresAt - (opts.renewWithin + Math.floor(opts.renewWithin * rnd2));
    // Stagger randomly by plus 0 to 5 min to reduce risk of multiple cluster processes
    // renewing at once on boot when the certs have expired
    var renewTimeout = Math.floor((5 * 60 * 1000) * rnd3);

    certInfo.loadedAt = now;
    certInfo.memorizeFor = memorizeFor;
    certInfo.bestIfUsedBy = bestIfUsedBy;
    certInfo.renewTimeout = renewTimeout;
  }

  function renewInBackground(now, hostname, certInfo) {
    if ((now - certInfo.loadedAt) < opts.failedWait) {
      // wait a few minutes
      return;
    }

    if (now > certInfo.bestIfUsedBy && !certInfo.timeout) {
      // EXPIRING
      if (now > certInfo.expiresAt) {
        // EXPIRED
        certInfo.renewTimeout = Math.floor(certInfo.renewTimeout / 2);
      }

      if (opts.debug) {
        console.log("[LEX] skipping stagger '" + certInfo.renewTimeout + "' and renewing '" + hostname + "' now");
        certInfo.renewTimeout = 500;
      }

      certInfo.timeout = setTimeout(function () {
        var args = { domains: [ hostname ], duplicate: false };
        opts.letsencrypt.renew(args, function (err, certInfo) {
          if (err || !certInfo) {
            opts.handleRenewFailure(err, hostname, certInfo);
          }
          ipc[hostname] = assignBestByDates(now, certInfo);
        });
      }, certInfo.renewTimeout);
    }
  }

  function fetch(hostname, cb) {
    opts.letsencrypt.fetch({ domains: [hostname] }, function (err, certInfo) {
      if (opts.debug) {
        console.log("[LEX] fetch result '" + hostname + "':");
        console.log(err, certInfo);
      }
      if (err) {
        cb(err);
        return;
      }

      var now = Date.now();

      if (!certInfo) {
        // handles registration
        if (opts.debug) {
          console.log("[LEX] '" + hostname + "' is not registered, requesting approval");
        }
        opts.approveRegistration(hostname, function (err, args) {
          if (opts.debug) {
            console.log("[LEX] '" + hostname + "' registration approved, attempting register");
          }
          if (err || !(args && args.agreeTos)) {
            done(err, certInfo);
            return;
          }
          opts.letsencrypt.register(args, function (err, certInfo) {
            if (opts.debug) {
              console.log("[LEX] '" + hostname + "' register completed", err, certInfo);
            }
            done(err, certInfo);
          });
        });
        return;
      }

      done(err, certInfo);

      function done(err, certInfo) {
        ipc[hostname] = assignBestByDates(now, certInfo);

        // handles renewals
        renewInBackground(now, hostname, certInfo);

        if (err) {
          cb(err);
          return;
        }

        if (!certInfo.tlsContext && null !== certInfo.tlsContext) {
          try {
            certInfo.tlsContext = tls.createSecureContext({
              key: certInfo.key                             // privkey.pem
            , cert: certInfo.cert                           // fullchain.pem (cert.pem + '\n' + chain.pem)
            });
          } catch(e) {
            certInfo.tlsContext = null;
            console.warn("[Sanity Check Fail]: a weird object was passed back through le.fetch to lex.fetch");
            cb(e);
            return;
          }
        }

        cb(null, certInfo.tlsContext);
      }
    });
  }

  return function sniCallback(hostname, cb) {
    var now = Date.now();
    var certInfo = ipc[hostname];

    // TODO once ECDSA is available, wait for cert renewal if its due
    if (!certInfo) {
      if (opts.debug) {
        console.log("[LEX] no certs loaded for '" + hostname + "'");
      }
      fetch(hostname, cb);
      return;
    }

    if (certInfo.tlsContext) {
      cb(null, certInfo.tlsContext);

      if ((now - certInfo.loadedAt) < (certInfo.memorizeFor)) {
        // these aren't stale, so don't fall through
        if (opts.debug) {
          console.log("[LEX] certs for '" + hostname + "' are fresh from disk");
        }
        return;
      }
    }
    else if ((now - certInfo.loadedAt) < opts.failedWait) {
      if (opts.debug) {
        console.log("[LEX] certs for '" + hostname + "' recently failed and are still in cool down");
      }
      // this was just fetched and failed, wait a few minutes
      cb(null, null);
      return;
    }

    if (opts.debug) {
      console.log("[LEX] certs for '" + hostname + "' are stale on disk and should be will be fetched again");
    }
    fetch(hostname, cb);
  };
};
sni callback stuff 2015-12-17 03:03:07 +00:00			`'use strict';`

			`var crypto = require('crypto');`
			`var tls = require('tls');`

more passing 2015-12-17 05:08:14 +00:00			`module.exports.create = function (opts) {`
			`if (opts.debug) {`
			`console.log("[LEX] creating sniCallback", JSON.stringify(opts, null, ' '));`
			`}`
sni callback stuff 2015-12-17 03:03:07 +00:00			`var ipc = {}; // in-process cache`

more passing 2015-12-17 05:08:14 +00:00			`if (!opts) { throw new Error("requires opts to be an object"); }`
			`if (!opts.letsencrypt) { throw new Error("requires opts.letsencrypt to be a letsencrypt instance"); }`
sni callback stuff 2015-12-17 03:03:07 +00:00
more passing 2015-12-17 05:08:14 +00:00			`if (!opts.lifetime) { opts.lifetime = 90 * 24 * 60 * 60 * 1000; }`
			`if (!opts.failedWait) { opts.failedWait = 5 * 60 * 1000; }`
			`if (!opts.renewWithin) { opts.renewWithin = 3 * 24 * 60 * 60 * 1000; }`
			`if (!opts.memorizeFor) { opts.memorizeFor = 1 * 24 * 60 * 60 * 1000; }`
sni callback stuff 2015-12-17 03:03:07 +00:00
more passing 2015-12-17 05:08:14 +00:00			`if (!opts.approveRegistration) { opts.approveRegistration = function (hostname, cb) { cb(null, null); }; }`
			`if (!opts.handleRenewFailure) { opts.handleRenewFailure = function (/err, hostname, certInfo/) {}; }`
sni callback stuff 2015-12-17 03:03:07 +00:00
			`function assignBestByDates(now, certInfo) {`
			`certInfo = certInfo \|\| { loadedAt: now, expiresAt: 0, issuedAt: 0, lifetime: 0 };`

			`var rnds = crypto.randomBytes(3)[0];`
			`var rnd1 = ((rnds[0] + 1) / 257);`
			`var rnd2 = ((rnds[1] + 1) / 257);`
			`var rnd3 = ((rnds[2] + 1) / 257);`

			`// Stagger randomly by plus 0% to 25% to prevent all caches expiring at once`
more passing 2015-12-17 05:08:14 +00:00			`var memorizeFor = Math.floor(opts.memorizeFor + ((opts.memorizeFor / 4) * rnd1));`
sni callback stuff 2015-12-17 03:03:07 +00:00			`// Stagger randomly to renew between n and 2n days before renewal is due`
			`// this greatly reduces the risk of multiple cluster processes renewing the same domain at once`
more passing 2015-12-17 05:08:14 +00:00			`var bestIfUsedBy = certInfo.expiresAt - (opts.renewWithin + Math.floor(opts.renewWithin * rnd2));`
sni callback stuff 2015-12-17 03:03:07 +00:00			`// Stagger randomly by plus 0 to 5 min to reduce risk of multiple cluster processes`
			`// renewing at once on boot when the certs have expired`
			`var renewTimeout = Math.floor((5 * 60 * 1000) * rnd3);`

			`certInfo.loadedAt = now;`
			`certInfo.memorizeFor = memorizeFor;`
			`certInfo.bestIfUsedBy = bestIfUsedBy;`
			`certInfo.renewTimeout = renewTimeout;`
			`}`

			`function renewInBackground(now, hostname, certInfo) {`
more passing 2015-12-17 05:08:14 +00:00			`if ((now - certInfo.loadedAt) < opts.failedWait) {`
sni callback stuff 2015-12-17 03:03:07 +00:00			`// wait a few minutes`
			`return;`
			`}`

			`if (now > certInfo.bestIfUsedBy && !certInfo.timeout) {`
			`// EXPIRING`
			`if (now > certInfo.expiresAt) {`
			`// EXPIRED`
			`certInfo.renewTimeout = Math.floor(certInfo.renewTimeout / 2);`
			`}`

more passing 2015-12-17 05:08:14 +00:00			`if (opts.debug) {`
			`console.log("[LEX] skipping stagger '" + certInfo.renewTimeout + "' and renewing '" + hostname + "' now");`
			`certInfo.renewTimeout = 500;`
			`}`

sni callback stuff 2015-12-17 03:03:07 +00:00			`certInfo.timeout = setTimeout(function () {`
more passing 2015-12-17 05:08:14 +00:00			`var args = { domains: [ hostname ], duplicate: false };`
			`opts.letsencrypt.renew(args, function (err, certInfo) {`
sni callback stuff 2015-12-17 03:03:07 +00:00			`if (err \|\| !certInfo) {`
more passing 2015-12-17 05:08:14 +00:00			`opts.handleRenewFailure(err, hostname, certInfo);`
sni callback stuff 2015-12-17 03:03:07 +00:00			`}`
			`ipc[hostname] = assignBestByDates(now, certInfo);`
			`});`
			`}, certInfo.renewTimeout);`
			`}`
			`}`

			`function fetch(hostname, cb) {`
more passing 2015-12-17 05:08:14 +00:00			`opts.letsencrypt.fetch({ domains: [hostname] }, function (err, certInfo) {`
			`if (opts.debug) {`
			`console.log("[LEX] fetch result '" + hostname + "':");`
			`console.log(err, certInfo);`
sni callback stuff 2015-12-17 03:03:07 +00:00			`}`
			`if (err) {`
			`cb(err);`
			`return;`
			`}`

more passing 2015-12-17 05:08:14 +00:00			`var now = Date.now();`

			`if (!certInfo) {`
			`// handles registration`
			`if (opts.debug) {`
			`console.log("[LEX] '" + hostname + "' is not registered, requesting approval");`
			`}`
			`opts.approveRegistration(hostname, function (err, args) {`
			`if (opts.debug) {`
			`console.log("[LEX] '" + hostname + "' registration approved, attempting register");`
			`}`
			`if (err \|\| !(args && args.agreeTos)) {`
			`done(err, certInfo);`
			`return;`
			`}`
			`opts.letsencrypt.register(args, function (err, certInfo) {`
			`if (opts.debug) {`
			`console.log("[LEX] '" + hostname + "' register completed", err, certInfo);`
			`}`
			`done(err, certInfo);`
			`});`
sni callback stuff 2015-12-17 03:03:07 +00:00			`});`
			`return;`
			`}`

more passing 2015-12-17 05:08:14 +00:00			`done(err, certInfo);`

			`function done(err, certInfo) {`
			`ipc[hostname] = assignBestByDates(now, certInfo);`

			`// handles renewals`
			`renewInBackground(now, hostname, certInfo);`

			`if (err) {`
			`cb(err);`
			`return;`
			`}`

			`if (!certInfo.tlsContext && null !== certInfo.tlsContext) {`
			`try {`
			`certInfo.tlsContext = tls.createSecureContext({`
			`key: certInfo.key // privkey.pem`
			`, cert: certInfo.cert // fullchain.pem (cert.pem + '\n' + chain.pem)`
			`});`
			`} catch(e) {`
			`certInfo.tlsContext = null;`
			`console.warn("[Sanity Check Fail]: a weird object was passed back through le.fetch to lex.fetch");`
			`cb(e);`
			`return;`
			`}`
			`}`

			`cb(null, certInfo.tlsContext);`
			`}`
sni callback stuff 2015-12-17 03:03:07 +00:00			`});`
			`}`

			`return function sniCallback(hostname, cb) {`
			`var now = Date.now();`
			`var certInfo = ipc[hostname];`

			`// TODO once ECDSA is available, wait for cert renewal if its due`
			`if (!certInfo) {`
more passing 2015-12-17 05:08:14 +00:00			`if (opts.debug) {`
			`console.log("[LEX] no certs loaded for '" + hostname + "'");`
			`}`
sni callback stuff 2015-12-17 03:03:07 +00:00			`fetch(hostname, cb);`
			`return;`
			`}`

more passing 2015-12-17 05:08:14 +00:00			`if (certInfo.tlsContext) {`
			`cb(null, certInfo.tlsContext);`
sni callback stuff 2015-12-17 03:03:07 +00:00
			`if ((now - certInfo.loadedAt) < (certInfo.memorizeFor)) {`
			`// these aren't stale, so don't fall through`
more passing 2015-12-17 05:08:14 +00:00			`if (opts.debug) {`
			`console.log("[LEX] certs for '" + hostname + "' are fresh from disk");`
			`}`
sni callback stuff 2015-12-17 03:03:07 +00:00			`return;`
			`}`
			`}`
more passing 2015-12-17 05:08:14 +00:00			`else if ((now - certInfo.loadedAt) < opts.failedWait) {`
			`if (opts.debug) {`
			`console.log("[LEX] certs for '" + hostname + "' recently failed and are still in cool down");`
			`}`
sni callback stuff 2015-12-17 03:03:07 +00:00			`// this was just fetched and failed, wait a few minutes`
			`cb(null, null);`
			`return;`
			`}`

more passing 2015-12-17 05:08:14 +00:00			`if (opts.debug) {`
			`console.log("[LEX] certs for '" + hostname + "' are stale on disk and should be will be fetched again");`
			`}`
			`fetch(hostname, cb);`
sni callback stuff 2015-12-17 03:03:07 +00:00			`};`
			`};`