gitlab-letsencrypt icon indicating copy to clipboard operation
gitlab-letsencrypt copied to clipboard

Published 20 hours ago verified publisher icon rolodato

check if any certificate needs to be renewed

Open leipert opened this issue 7 years ago • 9 comments

@travismiller was faster on automating the pages workflow, thank you! 🎉

On my local branch, I added a quick check, if certificate renewal is even needed at all. High level workflow is like this

Only get a new certificate, if at least one of the pages given in the arguments:

  1. is not registered yet
  2. does not have a certificate
  3. has an expired certificate
  4. has an certificate expiring within X days (default 15)
$ ./index.js --domain xyz.leipert.io --domain leipert.io \
    --email [email protected] \
    --repository https://gitlab.com/leipert/leipert.gitlab.io \
    --path /public/.well-known/acme-challenge
All domains xyz.leipert.io, leipert.io have a valid certificate (expiration in more than 15 days)

leipert avatar Jan 15 '18 23:01 leipert

Great idea. Consider to increase the default to 31 days, as this fits better to the Pipeline Scheduling feature supported if #36 gets merged.

The updated README suggests to run the pipeline once per month. With a default of 15, the user would miss the renewal date.

tmaier avatar Jan 16 '18 10:01 tmaier

Thanks for the PR! I would make the following changes for consistency with certbot renew:

  • Default expiration should be 30 days
  • No option to configure a default expiration
  • Add a --force-renewal option that bypasses the expiration check and renews anyway

rolodato avatar Jan 16 '18 20:01 rolodato

The reasons why I proposed 31 instead of 30 are

  • some months have 31 days (with 30, they would not request a new certificate)
  • you could come into a race condition where the previous build and validation step took longer than the current one (can be just a few minutes). In this case the the delta would be higher than 30 days and the renewal would be skipped

tmaier avatar Jan 16 '18 23:01 tmaier

I have to say, that I agree with @rolodato on that one:

  1. Consistency with certbot is a good idea.
  2. if you run gitlab-le with a cronjob each day, it doesn't matter whether it's 30 or 31 days.

leipert avatar Jan 17 '18 08:01 leipert

I updated the behavior as suggested. Additionally I made sure that the exit code is 0 if all certificates are valid

leipert avatar Jan 17 '18 10:01 leipert

/ping @rolodato

leipert avatar Jan 22 '18 13:01 leipert

@rolodato, I fixed all the issues you described in your review (except the singular/plural one). For the process.exit change, I had to refactor a bit:

I moved registering of ACME account, certificate retrieval and certificate upload into a new function runACMEWorkflow.

leipert avatar Jan 30 '18 23:01 leipert

Hey @rolodato,

I thought, I'd ping again ;)

leipert avatar Feb 14 '18 08:02 leipert

@rolodato Ping ping :P

leipert avatar Apr 14 '18 11:04 leipert