mirror of
https://github.com/go-acme/lego.git
synced 2024-11-21 13:25:48 +02:00
feat: attempt to check ARI unless explicitly disabled (#2298)
Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com>
This commit is contained in:
parent
faf1e0d56a
commit
98371c4695
@ -20,7 +20,7 @@ import (
|
|||||||
// Flag names.
|
// Flag names.
|
||||||
const (
|
const (
|
||||||
flgDays = "days"
|
flgDays = "days"
|
||||||
flgARIEnable = "ari-enable"
|
flgARIDisable = "ari-disable"
|
||||||
flgARIWaitToRenewDuration = "ari-wait-to-renew-duration"
|
flgARIWaitToRenewDuration = "ari-wait-to-renew-duration"
|
||||||
flgReuseKey = "reuse-key"
|
flgReuseKey = "reuse-key"
|
||||||
flgRenewHook = "renew-hook"
|
flgRenewHook = "renew-hook"
|
||||||
@ -61,8 +61,8 @@ func createRenew() *cli.Command {
|
|||||||
Usage: "The number of days left on a certificate to renew it.",
|
Usage: "The number of days left on a certificate to renew it.",
|
||||||
},
|
},
|
||||||
&cli.BoolFlag{
|
&cli.BoolFlag{
|
||||||
Name: flgARIEnable,
|
Name: flgARIDisable,
|
||||||
Usage: "Use the renewalInfo endpoint (draft-ietf-acme-ari) to check if a certificate should be renewed.",
|
Usage: "Do not use the renewalInfo endpoint (draft-ietf-acme-ari) to check if a certificate should be renewed.",
|
||||||
},
|
},
|
||||||
&cli.DurationFlag{
|
&cli.DurationFlag{
|
||||||
Name: flgARIWaitToRenewDuration,
|
Name: flgARIWaitToRenewDuration,
|
||||||
@ -151,16 +151,24 @@ func renewForDomains(ctx *cli.Context, client *lego.Client, certsStorage *Certif
|
|||||||
cert := certificates[0]
|
cert := certificates[0]
|
||||||
|
|
||||||
var ariRenewalTime *time.Time
|
var ariRenewalTime *time.Time
|
||||||
if ctx.Bool(flgARIEnable) {
|
var replacesCertID string
|
||||||
|
|
||||||
|
if !ctx.Bool(flgARIDisable) {
|
||||||
ariRenewalTime = getARIRenewalTime(ctx, cert, domain, client)
|
ariRenewalTime = getARIRenewalTime(ctx, cert, domain, client)
|
||||||
if ariRenewalTime != nil {
|
if ariRenewalTime != nil {
|
||||||
now := time.Now().UTC()
|
now := time.Now().UTC()
|
||||||
|
|
||||||
// Figure out if we need to sleep before renewing.
|
// Figure out if we need to sleep before renewing.
|
||||||
if ariRenewalTime.After(now) {
|
if ariRenewalTime.After(now) {
|
||||||
log.Infof("[%s] Sleeping %s until renewal time %s", domain, ariRenewalTime.Sub(now), ariRenewalTime)
|
log.Infof("[%s] Sleeping %s until renewal time %s", domain, ariRenewalTime.Sub(now), ariRenewalTime)
|
||||||
time.Sleep(ariRenewalTime.Sub(now))
|
time.Sleep(ariRenewalTime.Sub(now))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
replacesCertID, err = certificate.MakeARICertID(cert)
|
||||||
|
if err != nil {
|
||||||
|
log.Fatalf("Error while construction the ARI CertID for domain %s\n\t%v", domain, err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ariRenewalTime == nil && !needRenewal(cert, domain, ctx.Int(flgDays)) {
|
if ariRenewalTime == nil && !needRenewal(cert, domain, ctx.Int(flgDays)) {
|
||||||
@ -209,11 +217,8 @@ func renewForDomains(ctx *cli.Context, client *lego.Client, certsStorage *Certif
|
|||||||
AlwaysDeactivateAuthorizations: ctx.Bool(flgAlwaysDeactivateAuthorizations),
|
AlwaysDeactivateAuthorizations: ctx.Bool(flgAlwaysDeactivateAuthorizations),
|
||||||
}
|
}
|
||||||
|
|
||||||
if ctx.Bool(flgARIEnable) {
|
if replacesCertID != "" {
|
||||||
request.ReplacesCertID, err = certificate.MakeARICertID(cert)
|
request.ReplacesCertID = replacesCertID
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("Error while construction the ARI CertID for domain %s\n\t%v", domain, err)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
certRes, err := client.Certificate.Obtain(request)
|
certRes, err := client.Certificate.Obtain(request)
|
||||||
@ -250,16 +255,24 @@ func renewForCSR(ctx *cli.Context, client *lego.Client, certsStorage *Certificat
|
|||||||
cert := certificates[0]
|
cert := certificates[0]
|
||||||
|
|
||||||
var ariRenewalTime *time.Time
|
var ariRenewalTime *time.Time
|
||||||
if ctx.Bool(flgARIEnable) {
|
var replacesCertID string
|
||||||
|
|
||||||
|
if !ctx.Bool(flgARIDisable) {
|
||||||
ariRenewalTime = getARIRenewalTime(ctx, cert, domain, client)
|
ariRenewalTime = getARIRenewalTime(ctx, cert, domain, client)
|
||||||
if ariRenewalTime != nil {
|
if ariRenewalTime != nil {
|
||||||
now := time.Now().UTC()
|
now := time.Now().UTC()
|
||||||
|
|
||||||
// Figure out if we need to sleep before renewing.
|
// Figure out if we need to sleep before renewing.
|
||||||
if ariRenewalTime.After(now) {
|
if ariRenewalTime.After(now) {
|
||||||
log.Infof("[%s] Sleeping %s until renewal time %s", domain, ariRenewalTime.Sub(now), ariRenewalTime)
|
log.Infof("[%s] Sleeping %s until renewal time %s", domain, ariRenewalTime.Sub(now), ariRenewalTime)
|
||||||
time.Sleep(ariRenewalTime.Sub(now))
|
time.Sleep(ariRenewalTime.Sub(now))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
replacesCertID, err = certificate.MakeARICertID(cert)
|
||||||
|
if err != nil {
|
||||||
|
log.Fatalf("Error while construction the ARI CertID for domain %s\n\t%v", domain, err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ariRenewalTime == nil && !needRenewal(cert, domain, ctx.Int(flgDays)) {
|
if ariRenewalTime == nil && !needRenewal(cert, domain, ctx.Int(flgDays)) {
|
||||||
@ -279,11 +292,8 @@ func renewForCSR(ctx *cli.Context, client *lego.Client, certsStorage *Certificat
|
|||||||
AlwaysDeactivateAuthorizations: ctx.Bool(flgAlwaysDeactivateAuthorizations),
|
AlwaysDeactivateAuthorizations: ctx.Bool(flgAlwaysDeactivateAuthorizations),
|
||||||
}
|
}
|
||||||
|
|
||||||
if ctx.Bool(flgARIEnable) {
|
if replacesCertID != "" {
|
||||||
request.ReplacesCertID, err = certificate.MakeARICertID(cert)
|
request.ReplacesCertID = replacesCertID
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("Error while construction the ARI CertID for domain %s\n\t%v", domain, err)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
certRes, err := client.Certificate.ObtainForCSR(request)
|
certRes, err := client.Certificate.ObtainForCSR(request)
|
||||||
|
@ -88,7 +88,7 @@ USAGE:
|
|||||||
|
|
||||||
OPTIONS:
|
OPTIONS:
|
||||||
--days value The number of days left on a certificate to renew it. (default: 30)
|
--days value The number of days left on a certificate to renew it. (default: 30)
|
||||||
--ari-enable Use the renewalInfo endpoint (draft-ietf-acme-ari) to check if a certificate should be renewed. (default: false)
|
--ari-disable Do not use the renewalInfo endpoint (draft-ietf-acme-ari) to check if a certificate should be renewed. (default: false)
|
||||||
--ari-wait-to-renew-duration value The maximum duration you're willing to sleep for a renewal time returned by the renewalInfo endpoint. (default: 0s)
|
--ari-wait-to-renew-duration value The maximum duration you're willing to sleep for a renewal time returned by the renewalInfo endpoint. (default: 0s)
|
||||||
--reuse-key Used to indicate you want to reuse your current private key for the new certificate. (default: false)
|
--reuse-key Used to indicate you want to reuse your current private key for the new certificate. (default: false)
|
||||||
--no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate. (default: false)
|
--no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate. (default: false)
|
||||||
|
Loading…
Reference in New Issue
Block a user