letsencrypt-rails-heroku icon indicating copy to clipboard operation
letsencrypt-rails-heroku copied to clipboard

Published 20 hours ago verified publisher icon pixielabs

Feature/handle expire date

Open davidlibrera opened this issue 8 years ago • 11 comments
trafficstars

I copy the behaviour from certbot service. Running the service with --keep-until-expire that renew the certificate only if it is due to expire. Now it is possible to run the script daily.

davidlibrera avatar Mar 11 '17 00:03 davidlibrera

This is a good idea, thanks @davidlibrera, however rather than relying on ENV variables for configuration, why not use the Heroku platform API to check the existing certificate for expiry? https://github.com/jalada/platform-api/blob/master/schema.json#L10856

jalada avatar Mar 11 '17 00:03 jalada

Yeah, off course. I use directly env variables without think about ask to heroku 😸 . I change this ASAP

davidlibrera avatar Mar 13 '17 11:03 davidlibrera

@davidlibrera is there any point still having a configurable expiry window? Certbot renews any certificate that expires within 30 days, I think we should just use the same default and leave it at that.

jalada avatar Mar 15 '17 09:03 jalada

@davidlibrera rather than checking the certificate by hand, I meant using the Heroku API itself; does that make sense?

jalada avatar Mar 15 '17 09:03 jalada

@jalada I think that renew window is useless. Using certbot daemon it consider 30 days, so we can use that value.

davidlibrera avatar Mar 15 '17 10:03 davidlibrera

@jalada about checking the certificate by hand, I noticed that Platform-api json not provide expire_at value. Your fork of the gem do that. I simply prefered that way in order to not force using a different version of platform-api gem.

davidlibrera avatar Mar 15 '17 10:03 davidlibrera

@davidlibrera it's already compulsory to use my fork of the gem until the upstream platform-api gem is updated, as per https://github.com/heroku/platform-api/issues/49 and https://github.com/heroku/platform-api/pull/56.

jalada avatar Mar 15 '17 10:03 jalada

Do we need the ability to force a renewal?

jalada avatar Mar 15 '17 10:03 jalada

Yes, when I add a domain name to the heroku app. The new domain is not certified but without a force renew I can't generate a new one until the previous is due to expiring. Adding a new domain name is the ONLY reason I add that option

davidlibrera avatar Mar 15 '17 14:03 davidlibrera

@jalada about the use of the endpoint, OK! I fix that ASAP

davidlibrera avatar Mar 15 '17 14:03 davidlibrera

@davidlibrera Ahh of course! That makes sense. In which case I suggest we swap the behaviour round. Instead of adding a --force option, let's add an --auto option which enables this new behaviour.

That way, this is a backwards compatible change, rather than a breaking change forcing everyone to redo their scheduled tasks.

Does that make sense?

jalada avatar Mar 16 '17 09:03 jalada