Skip to content

Commit 3b0038d

Browse files
brianlundbrianlund
committed
Add certificate expiry handling to renewal job
Stored expiry date is checked before renewal. If less than 30 days out renewal is attempted. Tests are update to reflect the fact that dehydrated is not going to be called.
1 parent af15771 commit 3b0038d

File tree

3 files changed

+16
-4
lines changed

3 files changed

+16
-4
lines changed

lib/resty/auto-ssl/jobs/renewal.lua

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,19 @@ local function renew_check_cert_unlock(domain, storage, local_lock, distributed_
4545
end
4646

4747
local function renew_check_cert(auto_ssl_instance, storage, domain)
48+
ngx.log(ngx.NOTICE, "auto-ssl: checking certificate renewals for ", domain)
49+
50+
-- Attempt to retrieve expiry date from storage. If it is not found try renewal.
51+
-- If expiry date is found, we attempt renewal if it's within 30 days.
52+
local _, _, _, expiry = storage:get_cert(domain)
53+
if expiry then
54+
local now = ngx.now()
55+
if now + (30 * 24 * 60 * 60) < expiry then
56+
ngx.log(ngx.NOTICE, "auto-ssl: expiry date is more than 30 days out, skipping renewal: ", domain)
57+
return
58+
end
59+
end
60+
4861
-- Before issuing a cert, create a local lock to ensure multiple workers
4962
-- don't simultaneously try to register the same cert.
5063
local local_lock, new_local_lock_err = lock:new("auto_ssl", { exptime = 30, timeout = 30 })
@@ -106,7 +119,6 @@ local function renew_check_cert(auto_ssl_instance, storage, domain)
106119
-- Trigger a normal certificate issuance attempt, which dehydrated will
107120
-- skip if the certificate already exists or renew if it's within the
108121
-- configured time for renewals.
109-
ngx.log(ngx.NOTICE, "auto-ssl: checking certificate renewals for ", domain)
110122
local _, _, issue_err = ssl_provider.issue_cert(auto_ssl_instance, domain)
111123
if issue_err then
112124
ngx.log(ngx.ERR, "auto-ssl: issuing renewal certificate failed: ", err)

t/file.t

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -263,8 +263,8 @@ received: Connection: close
263263
received:
264264
received: foo
265265
--- error_log
266-
(Longer than 30 days). Skipping
267266
auto-ssl: checking certificate renewals for
267+
auto-ssl: expiry date is more than 30 days out
268268
--- no_error_log
269269
[warn]
270270
[error]

t/redis.t

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -280,8 +280,8 @@ received: Connection: close
280280
received:
281281
received: foo
282282
--- error_log
283-
(Longer than 30 days). Skipping
284283
auto-ssl: checking certificate renewals for
284+
auto-ssl: expiry date is more than 30 days out
285285
--- no_error_log
286286
[warn]
287287
[error]
@@ -549,8 +549,8 @@ received: Connection: close
549549
received:
550550
received: foo
551551
--- error_log
552-
(Longer than 30 days). Skipping
553552
auto-ssl: checking certificate renewals for
553+
auto-ssl: expiry date is more than 30 days out
554554
--- no_error_log
555555
[warn]
556556
[error]

0 commit comments

Comments
 (0)