Update legacy certificates in storage with expiration date

gohai · gohai · commit fbf726bf5c36 · 2018-04-29T22:06:55.000-07:00
af15771 and 3b0038d added the field "expiry" to the certificate, which speeds up the renewal check considerably for certificates that have this information set. For existing ones that don't, use the most recent backup timestamp to establish the expiration date, and add this information to storage, so that future renewal jobs are faster for those as well. This is in preparation for the following patch in the series, which uses the "expiry" field to purge certificates where renewal has failed repeatedly.
diff --git a/lib/resty/auto-ssl/jobs/renewal.lua b/lib/resty/auto-ssl/jobs/renewal.lua
@@ -79,8 +79,43 @@ local function renew_check_cert(auto_ssl_instance, storage, domain)
     cert = {}
   end
 
-  -- Attempt to retrieve expiry date from storage. If it is not found try renewal.
-  -- If expiry date is found, we attempt renewal if it's within 30 days.
+  if not cert["fullchain_pem"] then
+    ngx.log(ngx.ERR, "auto-ssl: attempting to renew certificate for domain without certificates in storage: ", domain)
+    renew_check_cert_unlock(domain, storage, local_lock, distributed_lock_value)
+    return
+  end
+
+  -- If we don't have an expiry date yet, try to update the stored cert
+  -- with a date based on backup timestamps
+  if not cert["expiry"] then
+    local keys, err = storage.adapter:keys_with_prefix(domain .. ":")
+    if err then
+      ngx.log(ngx.ERR, "auto-ssl: error fetching certificate backups from storage for ", domain, ": ", err)
+    else
+      local most_recent = 0
+      for _, key in ipairs(keys) do
+        local timestamp = string.sub(key, string.find(key, ":") + 1)
+        timestamp = tonumber(timestamp)
+        if timestamp and most_recent < timestamp then
+          most_recent = timestamp
+        end
+      end
+      if most_recent ~= 0 then
+        -- Backup timestamp used milliseconds, convert to seconds
+        cert["expiry"] = math.floor(most_recent/1000) + (90 * 24 * 60 * 60)
+        -- Update stored certificate to include expiry information
+        ngx.log(ngx.NOTICE, "auto-ssl: setting expiration date of ",  domain, " to ", cert["expiry"])
+        local _, err = storage:set_cert(domain, cert["fullchain_pem"], cert["privkey_pem"], cert["cert_pem"], cert["expiry"])
+        if err then
+          ngx.log(ngx.ERR, "auto-ssl: failed to update cert: ", err)
+        end
+      else
+        ngx.log(ngx.ERR, "auto-ssl: no certificate backups in storage for ", domain, ", unable to set expiration date")
+      end
+    end
+  end
+
+  -- If expiry date is known, attempt renewal if it's within 30 days.
   if cert["expiry"] then
     local now = ngx.now()
     if now + (30 * 24 * 60 * 60) < cert["expiry"] then
@@ -90,12 +125,6 @@ local function renew_check_cert(auto_ssl_instance, storage, domain)
     end
   end
 
-  if not cert["fullchain_pem"] then
-    ngx.log(ngx.ERR, "auto-ssl: attempting to renew certificate for domain without certificates in storage: ", domain)
-    renew_check_cert_unlock(domain, storage, local_lock, distributed_lock_value)
-    return
-  end
-
   -- We didn't previously store the cert.pem (since it can be derived from the
   -- fullchain.pem). So for backwards compatibility, set the cert.pem value to
   -- the fullchain.pem value, since that should work for our date checking
diff --git a/lib/resty/auto-ssl/storage_adapters/file.lua b/lib/resty/auto-ssl/storage_adapters/file.lua
@@ -72,6 +72,23 @@ function _M.delete(self, key)
   end
 end
 
+function _M.keys_with_prefix(self, prefix)
+  local base_dir = self.options["dir"]
+  local _, output, err = run_command("find " .. base_dir .. "/storage/file -name '" .. ngx.escape_uri(prefix) .. "*'")
+  if err then
+    return nil, err
+  end
+
+  local keys = {}
+  for path in string.gmatch(output, "[^\r\n]+") do
+    local filename = ngx.re.sub(path, ".*/", "")
+    local key = ngx.unescape_uri(filename)
+    table.insert(keys, key)
+  end
+
+  return keys
+end
+
 function _M.keys_with_suffix(self, suffix)
   local base_dir = self.options["dir"]
   local _, output, err = run_command("find " .. base_dir .. "/storage/file -name '*" .. ngx.escape_uri(suffix) .. "'")
diff --git a/lib/resty/auto-ssl/storage_adapters/redis.lua b/lib/resty/auto-ssl/storage_adapters/redis.lua
@@ -106,6 +106,30 @@ function _M.delete(self, key)
   return connection:del(prefixed_key(self, key))
 end
 
+function _M.keys_with_prefix(self, prefix)
+  local connection, connection_err = self:get_connection()
+  if connection_err then
+    return false, connection_err
+  end
+
+  local keys, err = connection:keys(prefixed_key(self, prefix .. "*"))
+
+  if keys and self.options["prefix"] then
+    local unprefixed_keys = {}
+    -- First character past the prefix and a colon
+    local offset = string.len(self.options["prefix"]) + 2
+
+    for _, key in ipairs(keys) do
+      local unprefixed = string.sub(key, offset)
+      table.insert(unprefixed_keys, unprefixed)
+    end
+
+    keys = unprefixed_keys
+  end
+
+  return keys, err
+end
+
 function _M.keys_with_suffix(self, suffix)
   local connection, connection_err = self:get_connection()
   if connection_err then
