func renew(c *cli.Context) {
conf, _, client := setup(c)
if len(c.GlobalStringSlice("domains")) <= 0 {
logger().Fatal("Please specify at least one domain.")
}
domain := c.GlobalStringSlice("domains")[0]
// load the cert resource from files.
// We store the certificate, private key and metadata in different files
// as web servers would not be able to work with a combined file.
certPath := path.Join(conf.CertPath(), domain+".crt")
privPath := path.Join(conf.CertPath(), domain+".key")
metaPath := path.Join(conf.CertPath(), domain+".json")
certBytes, err := ioutil.ReadFile(certPath)
if err != nil {
logger().Fatalf("Error while loading the certificate for domain %s\n\t%s", domain, err.Error())
}
if c.IsSet("days") {
expTime, err := acme.GetPEMCertExpiration(certBytes)
if err != nil {
logger().Printf("Could not get Certification expiration for domain %s", domain)
}
if int(expTime.Sub(time.Now()).Hours()/24.0) > c.Int("days") {
return
}
}
metaBytes, err := ioutil.ReadFile(metaPath)
if err != nil {
logger().Fatalf("Error while loading the meta data for domain %s\n\t%s", domain, err.Error())
}
var certRes acme.CertificateResource
err = json.Unmarshal(metaBytes, &certRes)
if err != nil {
logger().Fatalf("Error while marshalling the meta data for domain %s\n\t%s", domain, err.Error())
}
if c.Bool("reuse-key") {
keyBytes, err := ioutil.ReadFile(privPath)
if err != nil {
logger().Fatalf("Error while loading the private key for domain %s\n\t%s", domain, err.Error())
}
certRes.PrivateKey = keyBytes
}
certRes.Certificate = certBytes
newCert, err := client.RenewCertificate(certRes, true)
if err != nil {
logger().Fatalf("%s", err.Error())
}
saveCertRes(newCert, conf)
}
func (c *Client) saveCertificate(certName, dnsNames string, certRes lego.CertificateResource) (*AcmeCertificate, error) {
expiryDate, err := lego.GetPEMCertExpiration(certRes.Certificate)
if err != nil {
return nil, fmt.Errorf("Failed to read certificate expiry date: %v", err)
}
serialNumber, err := getPEMCertSerialNumber(certRes.Certificate)
if err != nil {
return nil, fmt.Errorf("Failed to read certificate serial number: %v", err)
}
acmeCert := AcmeCertificate{
CertificateResource: certRes,
ExpiryDate: expiryDate,
SerialNumber: serialNumber,
DnsNames: dnsNames,
}
certPath := c.CertPath(certName)
maybeCreatePath(certPath)
logrus.Debugf("Saving certificate '%s' to path '%s'", certName, certPath)
certOut := path.Join(certPath, "fullchain.pem")
privOut := path.Join(certPath, "privkey.pem")
metaOut := path.Join(certPath, "metadata.json")
err = ioutil.WriteFile(certOut, acmeCert.Certificate, 0600)
if err != nil {
return nil, fmt.Errorf("Failed to save certificate to '%s': %v", certOut, err)
}
logrus.Infof("Certificate saved to '%s'", certOut)
err = ioutil.WriteFile(privOut, acmeCert.PrivateKey, 0600)
if err != nil {
return nil, fmt.Errorf("Failed to save private key to '%s': %v", privOut, err)
}
logrus.Infof("Private key saved to '%s'", privOut)
jsonBytes, err := json.MarshalIndent(acmeCert, "", "\t")
if err != nil {
return nil, fmt.Errorf("Failed to marshal meta data for certificate '%s': %v", certName, err)
}
err = ioutil.WriteFile(metaOut, jsonBytes, 0600)
if err != nil {
return nil, fmt.Errorf("Failed to save meta data to '%s': %v", metaOut, err)
}
return &acmeCert, nil
}
func (rm *renewalMonitor) renewCertificateIfNeeded(domain string) error {
// Load current certificate
cert, err := rm.Repository.LoadDomainCertificate(domain)
if err != nil {
return maskAny(err)
}
if cert == nil {
// Domain certificate not found, nothing to renewal
rm.Logger.Debugf("no certificate found for '%s', so nothing to renew", domain)
return nil
}
// Get expiration time of certificate
expTime, err := acme.GetPEMCertExpiration(cert)
if err != nil {
return maskAny(err)
}
// The time returned from the certificate is always in UTC.
// So calculate the time left with local time as UTC.
// Directly convert it to days for the following checks.
daysLeft := int(expTime.Sub(time.Now().UTC()).Hours() / 24)
if daysLeft > renewDaysBefore {
// No need to renew yet
rm.Logger.Debugf("No need to renew certificate for '%s', it has %d days left", domain, daysLeft)
return nil
}
// We need to renew the certificate
rm.Logger.Debugf("Certificate for '%s' is due for renewal, it has %d days left", daysLeft)
op := func() error {
return maskAny(rm.Requester.RequestCertificates([]string{domain}))
}
if err := retry.Do(op,
retry.RetryChecker(IsNotMaster),
retry.MaxTries(15),
retry.Sleep(time.Second*5),
retry.Timeout(0)); err != nil {
return maskAny(err)
}
return nil
}
// renewCertificates loops through all configured site and
// looks for certificates to renew. Nothing is mutated
// through this function; all changes happen directly on disk.
// It returns the number of certificates renewed and any errors
// that occurred. It only performs a renewal if necessary.
// If useCustomPort is true, a custom port will be used, and
// whatever is listening at 443 better proxy ACME requests to it.
// Otherwise, the acme package will create its own listener on 443.
func renewCertificates(configs []server.Config, useCustomPort bool) (int, []error) {
log.Printf("[INFO] Checking certificates for %d hosts", len(configs))
var errs []error
var n int
for _, cfg := range configs {
// Host must be TLS-enabled and have existing assets managed by LE
if !cfg.TLS.Enabled || !existingCertAndKey(cfg.Host) {
continue
}
// Read the certificate and get the NotAfter time.
certBytes, err := ioutil.ReadFile(storage.SiteCertFile(cfg.Host))
if err != nil {
errs = append(errs, err)
continue // still have to check other certificates
}
expTime, err := acme.GetPEMCertExpiration(certBytes)
if err != nil {
errs = append(errs, err)
continue
}
// The time returned from the certificate is always in UTC.
// So calculate the time left with local time as UTC.
// Directly convert it to days for the following checks.
daysLeft := int(expTime.Sub(time.Now().UTC()).Hours() / 24)
// Renew with two weeks or less remaining.
if daysLeft <= 14 {
log.Printf("[INFO] Certificate for %s has %d days remaining; attempting renewal", cfg.Host, daysLeft)
var client *acme.Client
if useCustomPort {
client, err = newClientPort("", alternatePort) // email not used for renewal
} else {
client, err = newClient("")
}
if err != nil {
errs = append(errs, err)
continue
}
// Read and set up cert meta, required for renewal
metaBytes, err := ioutil.ReadFile(storage.SiteMetaFile(cfg.Host))
if err != nil {
errs = append(errs, err)
continue
}
privBytes, err := ioutil.ReadFile(storage.SiteKeyFile(cfg.Host))
if err != nil {
errs = append(errs, err)
continue
}
var certMeta acme.CertificateResource
err = json.Unmarshal(metaBytes, &certMeta)
certMeta.Certificate = certBytes
certMeta.PrivateKey = privBytes
// Renew certificate
Renew:
newCertMeta, err := client.RenewCertificate(certMeta, true, true)
if err != nil {
if _, ok := err.(acme.TOSError); ok {
err := client.AgreeToTOS()
if err != nil {
errs = append(errs, err)
}
goto Renew
}
time.Sleep(10 * time.Second)
newCertMeta, err = client.RenewCertificate(certMeta, true, true)
if err != nil {
errs = append(errs, err)
continue
}
}
saveCertsAndKeys([]acme.CertificateResource{newCertMeta})
n++
} else if daysLeft <= 30 {
// Warn on 30 days remaining. TODO: Just do this once...
log.Printf("[WARNING] Certificate for %s has %d days remaining; will automatically renew when 14 days remain\n", cfg.Host, daysLeft)
}
}
return n, errs
}