check if any certificate needs to be renewed #38
Conversation
|
Great idea. Consider to increase the default to 31 days, as this fits better to the Pipeline Scheduling feature supported if #36 gets merged. The updated README suggests to run the pipeline once per month. With a default of 15, the user would miss the renewal date. |
|
Thanks for the PR! I would make the following changes for consistency with
|
|
The reasons why I proposed 31 instead of 30 are
|
|
I have to say, that I agree with @rolodato on that one:
|
|
I updated the behavior as suggested. Additionally I made sure that the exit code is |
leipert
force-pushed
the
feature/checkIfCertificatesExpiring
branch
from
6cde205 to
1be80c8
Compare
|
/ping @rolodato |
| @@ -26,6 +26,10 @@ module.exports = yargs | |||
| describe: 'Upload challenge files with a Jekyll-compatible YAML front matter (see https://jekyllrb.com/docs/frontmatter)', | |||
| type: 'boolean', | |||
| default: false | |||
| }).option('force-renewal', { | |||
| describe: 'Force renewal of certificate, even if it expires in more than 30 days', | |||
There was a problem hiding this comment.
This should be phrased with plural instead:
Force renewal of certificates, even if they expire in more than 30 days.
There was a problem hiding this comment.
Two issues with that:
-
--productionalso is in singular:Obtain a real certificate instead of a dummy one
-
Technically you only obtain one certificate per execution, right?
Should I still change the text?
package.json
Outdated
| @@ -9,6 +9,7 @@ | |||
| "dependencies": { | |||
| "bluebird": "3.5.0", | |||
| "le-acme-core": "https://git.daplie.com/rolodato/le-acme-core/repository/archive.tar.gz", | |||
| "moment": "^2.20.1", | |||
There was a problem hiding this comment.
I don't think it's necessary to introduce this dependency, we can do a little date arithmetic instead :)
lib.js
Outdated
| const path = require('path'); | ||
| const { URL } = require('url'); | ||
|
|
||
| const EXPIRATION_IN_DAYS = 30; |
There was a problem hiding this comment.
Can be repliaced by const EXPIRATION = ms('30 days') if we get rid of the moment dependency.
lib.js
Outdated
|
|
||
| if (needsNoRenewal) { | ||
| console.log(`All domains (${options.domain.join(', ')}) have a valid certificate (expiration in more than ${EXPIRATION_IN_DAYS} days)`); | ||
| process.exit(0); |
There was a problem hiding this comment.
I would try to avoid this process.exit here - this file should only be used as a library for the main program (main.js). I think the better approach would be to refactor this file so the exported function (getCertificates) resolves successfully but with an empty array as a result, which means that everything went OK but no new certificates needed to be generated.
lib.js
Outdated
| @@ -99,8 +102,27 @@ module.exports = (options) => { | |||
| }); | |||
| }; | |||
|
|
|||
| const hasValidCertificate = (pagesDomain) => { | |||
| if (options.domain.includes(pagesDomain.domain)) { | |||
There was a problem hiding this comment.
This function should not care about option.domain, it should only care about the domain passed as a parameter. If we need to filter other domains it should be done at the call site instead of here.
lib.js
Outdated
| @@ -99,8 +102,27 @@ module.exports = (options) => { | |||
| }); | |||
| }; | |||
|
|
|||
| const hasValidCertificate = (pagesDomain) => { | |||
| if (options.domain.includes(pagesDomain.domain)) { | |||
| if (pagesDomain.certificate) { | |||
There was a problem hiding this comment.
Can we avoid nesting these ifs so deeply? :)
leipert
force-pushed
the
feature/checkIfCertificatesExpiring
branch
from
c538f91 to
b7cf54c
Compare
|
@rolodato, I fixed all the issues you described in your review (except the singular/plural one). I moved registering of ACME account, certificate retrieval and certificate upload into a new function |
|
Hey @rolodato, I thought, I'd ping again ;) |
|
@rolodato Ping ping :P |
@travismiller was faster on automating the pages workflow, thank you! 🎉
On my local branch, I added a quick check, if certificate renewal is even needed at all.
High level workflow is like this
Only get a new certificate, if at least one of the pages given in the arguments:
$ ./index.js --domain xyz.leipert.io --domain leipert.io \ --email [email protected] \ --repository https://gitlab.com/leipert/leipert.gitlab.io \ --path /public/.well-known/acme-challenge All domains xyz.leipert.io, leipert.io have a valid certificate (expiration in more than 15 days)