This commit is contained in:
AJ ONeal 2016-08-10 16:31:25 -04:00
parent 5a710a729f
commit 2fd8da484e
2 changed files with 64 additions and 35 deletions

View File

@ -1,9 +1,27 @@
'use strict'; 'use strict';
// opts = { renewWithin, renew, register, httpsOptions } // opts = { notBefore, notAfter, renew, register, httpsOptions }
module.exports.create = function (opts) { module.exports.create = function (opts) {
if (!opts.notBefore) { throw new Error("must supply options.notBefore (and options.notAfter)"); }
if (!opts.notAfter) { opts.notAfter = opts.notBefore - (3 * 24 * 60 * 60 * 1000); }
if (!opts.httpsOptions) { opts.httpOptions = {}; }
//opts.renewWithin = opts.notBefore; // i.e. 15 days
opts.renewWindow = opts.notBefore - opts.notAfter; // i.e. 1 day
//opts.renewRatio = opts.notBefore = opts.renewWindow; // i.e. 1/15 (6.67%)
var tls = require('tls'); var tls = require('tls');
var snicb = { var snicb = {
@ -11,10 +29,6 @@ module.exports.create = function (opts) {
// in-process cache // in-process cache
_ipc: {} _ipc: {}
// just to account for clock skew // just to account for clock skew
, _fiveMin: 5 * 60 * 1000 , _fiveMin: 5 * 60 * 1000
@ -23,22 +37,31 @@ module.exports.create = function (opts) {
// cache and format incoming certs // cache and format incoming certs
, cacheCerts: function (certs) { , cacheCerts: function (certs) {
var meta = {
certs: certs
, tlsContext: tls.createSecureContext({
key: certs.privkey
, cert: certs.cert + certs.chain
, rejectUnauthorized: opts.httpsOptions.rejectUnauthorized
, requestCert: opts.httpsOptions.requestCert // request peer verification
, ca: opts.httpsOptions.ca // this chain is for incoming peer connctions
, crl: opts.httpsOptions.crl // this crl is for incoming peer connections
})
, subject: certs.subject
// stagger renewal time by a little bit of randomness
, renewAt: (certs.expiresAt - (opts.notBefore - (opts.renewWindow * Math.random())))
// err just barely on the side of safety
, expiresNear: certs.expiresAt - snicb._fiveMin
};
certs.altnames.forEach(function (domain) { certs.altnames.forEach(function (domain) {
snicb._ipc[domain] = { subject: certs.subject }; snicb._ipc[domain] = { subject: certs.subject };
}); });
snicb._ipc[certs.subject] = certs; snicb._ipc[certs.subject] = meta;
certs.tlsContext = tls.createSecureContext({ return meta;
key: certs.privkey
, cert: certs.cert + certs.chain
, rejectUnauthorized: opts.httpsOptions.rejectUnauthorized
, requestCert: opts.httpsOptions.requestCert // request peer verification
, ca: opts.httpsOptions.ca // this chain is for incoming peer connctions
, crl: opts.httpsOptions.crl // this crl is for incoming peer connections
});
return certs;
} }
@ -46,32 +69,39 @@ module.exports.create = function (opts) {
// automate certificate registration on request // automate certificate registration on request
, sniCallback: function (domain, cb) { , sniCallback: function (domain, cb) {
var certs = snicb._ipc[domain]; var certMeta = snicb._ipc[domain];
var promise; var promise;
var now = Date.now(); var now = Date.now();
if (certs && certs.subject !== domain) { if (certMeta && certMeta.subject !== domain) {
certs = snicb._ipc[domain]; certMeta = snicb._ipc[domain];
} }
// err just barely on the side of safety if (!certMeta) {
if (!certs) { // we don't have a cert and must get one
promise = opts.register(domain); promise = opts.register(domain);
} }
else if (now >= (certs.expiresAt - snicb._fiveMin)) { else if (now >= certMeta.expiresNear) {
promise = opts.renew(domain, certs); // we have a cert, but it's no good for the average user
} promise = opts.renew(domain, certMeta.certs);
else { } else {
if (now >= (certs.expiresAt - opts.renewWithin)) {
// in background // we could stand to try to renew the cert
opts.renew(domain, certs).then(snicb.cacheCerts); if (now >= certMeta.renewAt) {
// give the cert some time to be validated and replaced before trying again
certMeta.renewAt = Date.now() + (2 * 60 * 60 * 1000) + (3 * 60 * 60 * 1000 * Math.random());
// let the update happen in the background
opts.renew(domain, certMeta.certs).then(snicb.cacheCerts);
} }
cb(null, certs);
// return the valid cert right away
cb(null, certMeta.certs);
return; return;
} }
promise.then(snicb.cacheCerts).then(function (certs) { // promise the non-existent or expired cert
cb(null, certs.tlsContext); promise.then(snicb.cacheCerts).then(function (certMeta) {
cb(null, certMeta.tlsContext);
}, cb); }, cb);
} }

View File

@ -2,8 +2,8 @@
module.exports.create = function (opts) { module.exports.create = function (opts) {
if (!opts.letsencrypt) { opts.letsencrypt = require('letsencrypt').create({ server: opts.server }); } if (!opts.letsencrypt) { opts.letsencrypt = require('letsencrypt').create({ server: opts.server }); }
if ('function' === typeof opts.approve) { if ('function' !== typeof opts.approveDomains) {
throw new Error("You must provide opts.approve(options, certs, callback) to approve certificates"); throw new Error("You must provide opts.approveDomains(options, certs, callback) to approve certificates");
} }
function log(debug) { function log(debug) {
@ -17,7 +17,6 @@ module.exports.create = function (opts) {
console.log.apply(console, args); console.log.apply(console, args);
} }
opts._pending = {};
opts._le = opts.letsencrypt; opts._le = opts.letsencrypt;
opts.addWorker = function (worker) { opts.addWorker = function (worker) {