From a3873fa202d75e4197df82d87952a2f3903246db Mon Sep 17 00:00:00 2001 From: Samantha Date: Thu, 10 Oct 2024 10:59:33 -0400 Subject: [PATCH 1/2] Use ARI unless explicitly disabled --- cmd/cmd_renew.go | 14 +++++++------- docs/data/zz_cli_help.toml | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/cmd/cmd_renew.go b/cmd/cmd_renew.go index 1d0a040796..1057d42330 100644 --- a/cmd/cmd_renew.go +++ b/cmd/cmd_renew.go @@ -20,7 +20,7 @@ import ( // Flag names. const ( flgDays = "days" - flgARIEnable = "ari-enable" + flgARIDisable = "ari-disable" flgARIWaitToRenewDuration = "ari-wait-to-renew-duration" flgReuseKey = "reuse-key" flgRenewHook = "renew-hook" @@ -61,8 +61,8 @@ func createRenew() *cli.Command { Usage: "The number of days left on a certificate to renew it.", }, &cli.BoolFlag{ - Name: flgARIEnable, - Usage: "Use the renewalInfo endpoint (draft-ietf-acme-ari) to check if a certificate should be renewed.", + Name: flgARIDisable, + Usage: "Do not use the renewalInfo endpoint (draft-ietf-acme-ari) to check if a certificate should be renewed.", }, &cli.DurationFlag{ Name: flgARIWaitToRenewDuration, @@ -151,7 +151,7 @@ func renewForDomains(ctx *cli.Context, client *lego.Client, certsStorage *Certif cert := certificates[0] var ariRenewalTime *time.Time - if ctx.Bool(flgARIEnable) { + if !ctx.Bool(flgARIDisable) { ariRenewalTime = getARIRenewalTime(ctx, cert, domain, client) if ariRenewalTime != nil { now := time.Now().UTC() @@ -209,7 +209,7 @@ func renewForDomains(ctx *cli.Context, client *lego.Client, certsStorage *Certif AlwaysDeactivateAuthorizations: ctx.Bool(flgAlwaysDeactivateAuthorizations), } - if ctx.Bool(flgARIEnable) { + if !ctx.Bool(flgARIDisable) { request.ReplacesCertID, err = certificate.MakeARICertID(cert) if err != nil { log.Fatalf("Error while construction the ARI CertID for domain %s\n\t%v", domain, err) @@ -250,7 +250,7 @@ func renewForCSR(ctx *cli.Context, client *lego.Client, certsStorage *Certificat cert := certificates[0] var ariRenewalTime *time.Time - if ctx.Bool(flgARIEnable) { + if !ctx.Bool(flgARIDisable) { ariRenewalTime = getARIRenewalTime(ctx, cert, domain, client) if ariRenewalTime != nil { now := time.Now().UTC() @@ -279,7 +279,7 @@ func renewForCSR(ctx *cli.Context, client *lego.Client, certsStorage *Certificat AlwaysDeactivateAuthorizations: ctx.Bool(flgAlwaysDeactivateAuthorizations), } - if ctx.Bool(flgARIEnable) { + if !ctx.Bool(flgARIDisable) { request.ReplacesCertID, err = certificate.MakeARICertID(cert) if err != nil { log.Fatalf("Error while construction the ARI CertID for domain %s\n\t%v", domain, err) diff --git a/docs/data/zz_cli_help.toml b/docs/data/zz_cli_help.toml index 9e53c66596..ad95fe40df 100644 --- a/docs/data/zz_cli_help.toml +++ b/docs/data/zz_cli_help.toml @@ -88,7 +88,7 @@ USAGE: OPTIONS: --days value The number of days left on a certificate to renew it. (default: 30) - --ari-enable Use the renewalInfo endpoint (draft-ietf-acme-ari) to check if a certificate should be renewed. (default: false) + --ari-disable Do not use the renewalInfo endpoint (draft-ietf-acme-ari) to check if a certificate should be renewed. (default: false) --ari-wait-to-renew-duration value The maximum duration you're willing to sleep for a renewal time returned by the renewalInfo endpoint. (default: 0s) --reuse-key Used to indicate you want to reuse your current private key for the new certificate. (default: false) --no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate. (default: false) From ede2825c92e3c67892734a108634bc393c956729 Mon Sep 17 00:00:00 2001 From: Fernandez Ludovic Date: Mon, 11 Nov 2024 01:07:27 +0100 Subject: [PATCH 2/2] review: move MakeARICertID call --- cmd/cmd_renew.go | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/cmd/cmd_renew.go b/cmd/cmd_renew.go index 1057d42330..496f5a4335 100644 --- a/cmd/cmd_renew.go +++ b/cmd/cmd_renew.go @@ -151,16 +151,24 @@ func renewForDomains(ctx *cli.Context, client *lego.Client, certsStorage *Certif cert := certificates[0] var ariRenewalTime *time.Time + var replacesCertID string + if !ctx.Bool(flgARIDisable) { ariRenewalTime = getARIRenewalTime(ctx, cert, domain, client) if ariRenewalTime != nil { now := time.Now().UTC() + // Figure out if we need to sleep before renewing. if ariRenewalTime.After(now) { log.Infof("[%s] Sleeping %s until renewal time %s", domain, ariRenewalTime.Sub(now), ariRenewalTime) time.Sleep(ariRenewalTime.Sub(now)) } } + + replacesCertID, err = certificate.MakeARICertID(cert) + if err != nil { + log.Fatalf("Error while construction the ARI CertID for domain %s\n\t%v", domain, err) + } } if ariRenewalTime == nil && !needRenewal(cert, domain, ctx.Int(flgDays)) { @@ -209,11 +217,8 @@ func renewForDomains(ctx *cli.Context, client *lego.Client, certsStorage *Certif AlwaysDeactivateAuthorizations: ctx.Bool(flgAlwaysDeactivateAuthorizations), } - if !ctx.Bool(flgARIDisable) { - request.ReplacesCertID, err = certificate.MakeARICertID(cert) - if err != nil { - log.Fatalf("Error while construction the ARI CertID for domain %s\n\t%v", domain, err) - } + if replacesCertID != "" { + request.ReplacesCertID = replacesCertID } certRes, err := client.Certificate.Obtain(request) @@ -250,16 +255,24 @@ func renewForCSR(ctx *cli.Context, client *lego.Client, certsStorage *Certificat cert := certificates[0] var ariRenewalTime *time.Time + var replacesCertID string + if !ctx.Bool(flgARIDisable) { ariRenewalTime = getARIRenewalTime(ctx, cert, domain, client) if ariRenewalTime != nil { now := time.Now().UTC() + // Figure out if we need to sleep before renewing. if ariRenewalTime.After(now) { log.Infof("[%s] Sleeping %s until renewal time %s", domain, ariRenewalTime.Sub(now), ariRenewalTime) time.Sleep(ariRenewalTime.Sub(now)) } } + + replacesCertID, err = certificate.MakeARICertID(cert) + if err != nil { + log.Fatalf("Error while construction the ARI CertID for domain %s\n\t%v", domain, err) + } } if ariRenewalTime == nil && !needRenewal(cert, domain, ctx.Int(flgDays)) { @@ -279,11 +292,8 @@ func renewForCSR(ctx *cli.Context, client *lego.Client, certsStorage *Certificat AlwaysDeactivateAuthorizations: ctx.Bool(flgAlwaysDeactivateAuthorizations), } - if !ctx.Bool(flgARIDisable) { - request.ReplacesCertID, err = certificate.MakeARICertID(cert) - if err != nil { - log.Fatalf("Error while construction the ARI CertID for domain %s\n\t%v", domain, err) - } + if replacesCertID != "" { + request.ReplacesCertID = replacesCertID } certRes, err := client.Certificate.ObtainForCSR(request)