Give up trying to renew certificates in storage once they are expired

There are various legitimate reasons why a certificate can't be renewed, such as the domain holder pointing it elsewhere. We don't want to retry those forever.

Author: gohai

lib/resty/auto-ssl/jobs/renewal.lua

@@ -158,6 +158,15 @@ local function renew_check_cert(auto_ssl_instance, storage, domain)
   local _, issue_err = ssl_provider.issue_cert(auto_ssl_instance, domain)
   if issue_err then
     ngx.log(ngx.ERR, "auto-ssl: issuing renewal certificate failed: ", err)
+    -- Give up on renewing this certificate if we didn't manage to renew
+    -- it before the expiration date
+    local now = ngx.now()
+    if cert["expiry"] then
+      if cert["expiry"] < now then
+        ngx.log(ngx.NOTICE, "auto-ssl: existing certificate is expired, deleting: ", domain)
+        storage:delete_cert(domain)
+      end
+    end
   end
 
   renew_check_cert_unlock(domain, storage, local_lock, distributed_lock_value)

lib/resty/auto-ssl/storage.lua

@@ -60,6 +60,10 @@ function _M.set_cert(self, domain, fullchain_pem, privkey_pem, cert_pem, expiry)
   return self.adapter:set(domain .. ":latest", string)
 end
 
+function _M.delete_cert(self, domain)
+  return self.adapter:delete(domain .. ":latest")
+end
+
 function _M.all_cert_domains(self)
   local keys, err = self.adapter:keys_with_suffix(":latest")
   if err then