1
0
mirror of https://github.com/go-acme/lego.git synced 2024-11-21 13:25:48 +02:00

feat: attempt to check ARI unless explicitly disabled (#2298)

Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com>
This commit is contained in:
Samantha Frank 2024-11-10 19:33:27 -05:00 committed by GitHub
parent faf1e0d56a
commit 98371c4695
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 26 additions and 16 deletions

View File

@ -20,7 +20,7 @@ import (
// Flag names. // Flag names.
const ( const (
flgDays = "days" flgDays = "days"
flgARIEnable = "ari-enable" flgARIDisable = "ari-disable"
flgARIWaitToRenewDuration = "ari-wait-to-renew-duration" flgARIWaitToRenewDuration = "ari-wait-to-renew-duration"
flgReuseKey = "reuse-key" flgReuseKey = "reuse-key"
flgRenewHook = "renew-hook" flgRenewHook = "renew-hook"
@ -61,8 +61,8 @@ func createRenew() *cli.Command {
Usage: "The number of days left on a certificate to renew it.", Usage: "The number of days left on a certificate to renew it.",
}, },
&cli.BoolFlag{ &cli.BoolFlag{
Name: flgARIEnable, Name: flgARIDisable,
Usage: "Use the renewalInfo endpoint (draft-ietf-acme-ari) to check if a certificate should be renewed.", Usage: "Do not use the renewalInfo endpoint (draft-ietf-acme-ari) to check if a certificate should be renewed.",
}, },
&cli.DurationFlag{ &cli.DurationFlag{
Name: flgARIWaitToRenewDuration, Name: flgARIWaitToRenewDuration,
@ -151,16 +151,24 @@ func renewForDomains(ctx *cli.Context, client *lego.Client, certsStorage *Certif
cert := certificates[0] cert := certificates[0]
var ariRenewalTime *time.Time var ariRenewalTime *time.Time
if ctx.Bool(flgARIEnable) { var replacesCertID string
if !ctx.Bool(flgARIDisable) {
ariRenewalTime = getARIRenewalTime(ctx, cert, domain, client) ariRenewalTime = getARIRenewalTime(ctx, cert, domain, client)
if ariRenewalTime != nil { if ariRenewalTime != nil {
now := time.Now().UTC() now := time.Now().UTC()
// Figure out if we need to sleep before renewing. // Figure out if we need to sleep before renewing.
if ariRenewalTime.After(now) { if ariRenewalTime.After(now) {
log.Infof("[%s] Sleeping %s until renewal time %s", domain, ariRenewalTime.Sub(now), ariRenewalTime) log.Infof("[%s] Sleeping %s until renewal time %s", domain, ariRenewalTime.Sub(now), ariRenewalTime)
time.Sleep(ariRenewalTime.Sub(now)) time.Sleep(ariRenewalTime.Sub(now))
} }
} }
replacesCertID, err = certificate.MakeARICertID(cert)
if err != nil {
log.Fatalf("Error while construction the ARI CertID for domain %s\n\t%v", domain, err)
}
} }
if ariRenewalTime == nil && !needRenewal(cert, domain, ctx.Int(flgDays)) { if ariRenewalTime == nil && !needRenewal(cert, domain, ctx.Int(flgDays)) {
@ -209,11 +217,8 @@ func renewForDomains(ctx *cli.Context, client *lego.Client, certsStorage *Certif
AlwaysDeactivateAuthorizations: ctx.Bool(flgAlwaysDeactivateAuthorizations), AlwaysDeactivateAuthorizations: ctx.Bool(flgAlwaysDeactivateAuthorizations),
} }
if ctx.Bool(flgARIEnable) { if replacesCertID != "" {
request.ReplacesCertID, err = certificate.MakeARICertID(cert) request.ReplacesCertID = replacesCertID
if err != nil {
log.Fatalf("Error while construction the ARI CertID for domain %s\n\t%v", domain, err)
}
} }
certRes, err := client.Certificate.Obtain(request) certRes, err := client.Certificate.Obtain(request)
@ -250,16 +255,24 @@ func renewForCSR(ctx *cli.Context, client *lego.Client, certsStorage *Certificat
cert := certificates[0] cert := certificates[0]
var ariRenewalTime *time.Time var ariRenewalTime *time.Time
if ctx.Bool(flgARIEnable) { var replacesCertID string
if !ctx.Bool(flgARIDisable) {
ariRenewalTime = getARIRenewalTime(ctx, cert, domain, client) ariRenewalTime = getARIRenewalTime(ctx, cert, domain, client)
if ariRenewalTime != nil { if ariRenewalTime != nil {
now := time.Now().UTC() now := time.Now().UTC()
// Figure out if we need to sleep before renewing. // Figure out if we need to sleep before renewing.
if ariRenewalTime.After(now) { if ariRenewalTime.After(now) {
log.Infof("[%s] Sleeping %s until renewal time %s", domain, ariRenewalTime.Sub(now), ariRenewalTime) log.Infof("[%s] Sleeping %s until renewal time %s", domain, ariRenewalTime.Sub(now), ariRenewalTime)
time.Sleep(ariRenewalTime.Sub(now)) time.Sleep(ariRenewalTime.Sub(now))
} }
} }
replacesCertID, err = certificate.MakeARICertID(cert)
if err != nil {
log.Fatalf("Error while construction the ARI CertID for domain %s\n\t%v", domain, err)
}
} }
if ariRenewalTime == nil && !needRenewal(cert, domain, ctx.Int(flgDays)) { if ariRenewalTime == nil && !needRenewal(cert, domain, ctx.Int(flgDays)) {
@ -279,11 +292,8 @@ func renewForCSR(ctx *cli.Context, client *lego.Client, certsStorage *Certificat
AlwaysDeactivateAuthorizations: ctx.Bool(flgAlwaysDeactivateAuthorizations), AlwaysDeactivateAuthorizations: ctx.Bool(flgAlwaysDeactivateAuthorizations),
} }
if ctx.Bool(flgARIEnable) { if replacesCertID != "" {
request.ReplacesCertID, err = certificate.MakeARICertID(cert) request.ReplacesCertID = replacesCertID
if err != nil {
log.Fatalf("Error while construction the ARI CertID for domain %s\n\t%v", domain, err)
}
} }
certRes, err := client.Certificate.ObtainForCSR(request) certRes, err := client.Certificate.ObtainForCSR(request)

View File

@ -88,7 +88,7 @@ USAGE:
OPTIONS: OPTIONS:
--days value The number of days left on a certificate to renew it. (default: 30) --days value The number of days left on a certificate to renew it. (default: 30)
--ari-enable Use the renewalInfo endpoint (draft-ietf-acme-ari) to check if a certificate should be renewed. (default: false) --ari-disable Do not use the renewalInfo endpoint (draft-ietf-acme-ari) to check if a certificate should be renewed. (default: false)
--ari-wait-to-renew-duration value The maximum duration you're willing to sleep for a renewal time returned by the renewalInfo endpoint. (default: 0s) --ari-wait-to-renew-duration value The maximum duration you're willing to sleep for a renewal time returned by the renewalInfo endpoint. (default: 0s)
--reuse-key Used to indicate you want to reuse your current private key for the new certificate. (default: false) --reuse-key Used to indicate you want to reuse your current private key for the new certificate. (default: false)
--no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate. (default: false) --no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate. (default: false)