Only attempt renewal of certificates that are close to expiry date

bin/letsencrypt_hooks

@@ -33,13 +33,18 @@ clean_challenge() {
 
 deploy_cert() {
   local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
+  local EXPIRY
+  if ! EXPIRY=$(date --date="$(openssl x509 -enddate -noout -in "$CERTFILE"|cut -d= -f 2)" +%s); then
+    echo "failed to get the expiry date"
+  fi
 
   curl --silent --show-error --fail -XPOST \
     --header "X-Hook-Secret: $HOOK_SECRET" \
     --data-urlencode "domain=$DOMAIN" \
     --data-urlencode "privkey@$KEYFILE" \
     --data-urlencode "cert@$CERTFILE" \
     --data-urlencode "fullchain@$FULLCHAINFILE" \
+    --data-urlencode "expiry=$EXPIRY" \
     "http://127.0.0.1:$HOOK_SERVER_PORT/deploy-cert" || { echo "hook request (deploy_cert) failed" 1>&2; exit 1; }
 }
 

lib/resty/auto-ssl/jobs/renewal.lua

@@ -45,6 +45,19 @@ local function renew_check_cert_unlock(domain, storage, local_lock, distributed_
 end
 
 local function renew_check_cert(auto_ssl_instance, storage, domain)
+  ngx.log(ngx.NOTICE, "auto-ssl: checking certificate renewals for ", domain)
+
+  -- Attempt to retrieve expiry date from storage. If it is not found try renewal.
+  -- If expiry date is found, we attempt renewal if it's within 30 days.
+  local _, _, _, expiry = storage:get_cert(domain)
+  if expiry then
+    local now = ngx.now()
+    if now + (30 * 24 * 60 * 60) < expiry then
+      ngx.log(ngx.NOTICE, "auto-ssl: expiry date is more than 30 days out, skipping renewal: ", domain)
+      return
+    end
+  end
+
   -- Before issuing a cert, create a local lock to ensure multiple workers
   -- don't simultaneously try to register the same cert.
   local local_lock, new_local_lock_err = lock:new("auto_ssl", { exptime = 30, timeout = 30 })
@@ -106,7 +119,6 @@ local function renew_check_cert(auto_ssl_instance, storage, domain)
   -- Trigger a normal certificate issuance attempt, which dehydrated will
   -- skip if the certificate already exists or renew if it's within the
   -- configured time for renewals.
-  ngx.log(ngx.NOTICE, "auto-ssl: checking certificate renewals for ", domain)
   local _, _, issue_err = ssl_provider.issue_cert(auto_ssl_instance, domain)
   if issue_err then
     ngx.log(ngx.ERR, "auto-ssl: issuing renewal certificate failed: ", err)

lib/resty/auto-ssl/servers/hook.lua

@@ -39,7 +39,8 @@ return function(auto_ssl_instance)
     assert(params["domain"])
     assert(params["fullchain"])
     assert(params["privkey"])
-    local _, err = storage:set_cert(params["domain"], params["fullchain"], params["privkey"], params["cert"])
+    assert(params["expiry"])
+    local _, err = storage:set_cert(params["domain"], params["fullchain"], params["privkey"], params["cert"], tonumber(params["expiry"]))
     if err then
       ngx.log(ngx.ERR, "auto-ssl: failed to set cert: ", err)
       return ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)

lib/resty/auto-ssl/storage.lua

@@ -30,10 +30,10 @@ function _M.get_cert(self, domain)
   end
 
   local data = cjson.decode(json)
-  return data["fullchain_pem"], data["privkey_pem"], data["cert_pem"]
+  return data["fullchain_pem"], data["privkey_pem"], data["cert_pem"], data["expiry"]
 end
 
-function _M.set_cert(self, domain, fullchain_pem, privkey_pem, cert_pem)
+function _M.set_cert(self, domain, fullchain_pem, privkey_pem, cert_pem, expiry)
   -- Store the public certificate and private key as a single JSON string.
   --
   -- We use a single JSON string so that the storage adapter just has to store
@@ -44,6 +44,7 @@ function _M.set_cert(self, domain, fullchain_pem, privkey_pem, cert_pem)
     fullchain_pem = fullchain_pem,
     privkey_pem = privkey_pem,
     cert_pem = cert_pem,
+    expiry = expiry,
   })
 
   -- Store the cert with the current timestamp, so the old certs are preserved

t/file.t

@@ -263,8 +263,8 @@ received: Connection: close
 received: 
 received: foo
 --- error_log
-(Longer than 30 days). Skipping
 auto-ssl: checking certificate renewals for
+auto-ssl: expiry date is more than 30 days out
 --- no_error_log
 [warn]
 [error]

t/redis.t

@@ -280,8 +280,8 @@ received: Connection: close
 received: 
 received: foo
 --- error_log
-(Longer than 30 days). Skipping
 auto-ssl: checking certificate renewals for
+auto-ssl: expiry date is more than 30 days out
 --- no_error_log
 [warn]
 [error]
@@ -549,8 +549,8 @@ received: Connection: close
 received: 
 received: foo
 --- error_log
-(Longer than 30 days). Skipping
 auto-ssl: checking certificate renewals for
+auto-ssl: expiry date is more than 30 days out
 --- no_error_log
 [warn]
 [error]