Merge pull request #896 from chinkung/main

Add DEFAULT_RENEW variable

Author: buchdag

app/letsencrypt_service

@@ -8,6 +8,7 @@ ACME_CA_URI="${ACME_CA_URI:-"https://acme-v02.api.letsencrypt.org/directory"}"
 ACME_CA_TEST_URI="https://acme-staging-v02.api.letsencrypt.org/directory"
 DEFAULT_KEY_SIZE="${DEFAULT_KEY_SIZE:-4096}"
 RENEW_PRIVATE_KEYS="$(lc "${RENEW_PRIVATE_KEYS:-true}")"
+DEFAULT_RENEW="${DEFAULT_RENEW:-60}"
 
 # Backward compatibility environment variable
 REUSE_PRIVATE_KEYS="$(lc "${REUSE_PRIVATE_KEYS:-false}")"
@@ -259,7 +260,7 @@ function update_cert {
     else
         # If we did not get any email at all, use the default (empty mail) config
         config_home="/etc/acme.sh/default"
-    fi 
+    fi
 
     local -n acme_ca_uri="ACME_${cid}_CA_URI"
     if [[ -z "$acme_ca_uri" ]]; then
@@ -368,13 +369,13 @@ function update_cert {
                 fi
             else
                 # We don't have a Zero SSL ACME account, EAB credentials, a ZeroSSL API key or an account email :
-                # skip certificate account registration and certificate issuance. 
+                # skip certificate account registration and certificate issuance.
                 echo "Error: usage of ZeroSSL require an email bound account. No EAB credentials, ZeroSSL API key or email were provided for this certificate, creation aborted."
                 return 1
-            fi        
+            fi
         fi
     fi
-    
+
     # Account registration and update if required
     if [[ ! -f "$account_file" ]]; then
         params_register_arr=("${params_base_arr[@]}" "${params_register_arr[@]}")
@@ -418,7 +419,7 @@ function update_cert {
         params_issue_arr+=(--preferred-chain "$acme_preferred_chain")
     fi
     if [[ "$RENEW_PRIVATE_KEYS" != 'false' && "$REUSE_PRIVATE_KEYS" != 'true' ]]; then
-        params_issue_arr+=(--always-force-new-domain-key)      
+        params_issue_arr+=(--always-force-new-domain-key)
     fi
     [[ "${2:-}" == "--force-renew" ]] && params_issue_arr+=(--force)
 
@@ -435,6 +436,9 @@ function update_cert {
         fi
     done
 
+    # Allow to override day to renew cert
+    params_issue_arr+=(--days "$DEFAULT_RENEW")
+
     params_issue_arr=("${params_base_arr[@]}" "${params_issue_arr[@]}")
     [[ "$DEBUG" == 1 ]] && echo "Calling acme.sh --issue with the following parameters : ${params_issue_arr[*]}"
     echo "Creating/renewal $base_domain certificates... (${hosts_array[*]})"

docs/Container-configuration.md

@@ -34,6 +34,9 @@ You can also create test certificates per container (see [Test certificates](./L
 
 * `ACME_POST_HOOK` - The provided command will be run after every certificate issuance. The action is limited to the commands available inside the **acme-companion** container. For example `--env "ACME_POST_HOOK=echo 'end'"`. For more information see [Pre- and Post-Hook](./Hooks.md)
 
+* `DEFAULT_RENEW` - 60 days by default, this defines the number of days between certificate renewals attempts. For certificates issued by certain Certificate Authorities, such as Buypass, which have a lifespan of 180 days, it may be advisable to initiate the renewal process on day 170 rather than the default day 60. See [BuyPass.com CA](https://github.com/acmesh-official/acme.sh/wiki/BuyPass.com-CA) for more detail.
+
 * `ACME_HTTP_CHALLENGE_LOCATION` - Previously **acme-companion** automatically added the ACME HTTP challenge location to the nginx configuration through files generated in `/etc/nginx/vhost.d`. Recent versions of **nginx-proxy** (>= `1.6`) already include the required location configuration, which remove the need for **acme-companion** to attempt to dynamically add them. If you're running and older version of **nginx-proxy** (or **docker-gen** with an older version of the `nginx.tmpl` file), you can re-enable this behaviour by setting `ACME_HTTP_CHALLENGE_LOCATION` to `true`.
 
 * `RELOAD_NGINX_ONLY_ONCE` - The companion reload nginx configuration after every new or renewed certificate. Previously this was done only once per service loop, at the end of the loop (this was causing delayed availability of HTTPS enabled application when multiple new certificates where requested at once, see [issue #1147](https://github.com/nginx-proxy/acme-companion/issues/1147)). You can restore the previous behaviour if needed by setting the environment variable `RELOAD_NGINX_ONLY_ONCE` to `true`.
+

test/config.sh

@@ -17,6 +17,7 @@ globalTests+=(
 	permissions_custom
 	symlinks
 	acme_hooks
+	certs_default_renew
 	ocsp_must_staple
 )
 

test/tests/certs_default_renew/expected-std-out.txt

@@ -0,0 +1 @@
+

test/tests/certs_default_renew/run.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+
+## Test for the DEFAULT_RENEW function.
+
+if [[ -z $GITHUB_ACTIONS ]]; then
+  le_container_name="$(basename "${0%/*}")_$(date "+%Y-%m-%d_%H.%M.%S")"
+else
+  le_container_name="$(basename "${0%/*}")"
+fi
+
+default_renew=170
+run_le_container "${1:?}" "$le_container_name" \
+  --cli-args "--env DEFAULT_RENEW=$default_renew"
+
+# Create the $domains array from comma separated domains in TEST_DOMAINS.
+IFS=',' read -r -a domains <<< "$TEST_DOMAINS"
+
+# Cleanup function with EXIT trap
+function cleanup {
+  # Remove the Nginx container silently.
+  docker rm --force "${domains[0]}" &> /dev/null
+  # Cleanup the files created by this run of the test to avoid foiling following test(s).
+  docker exec "$le_container_name" /app/cleanup_test_artifacts
+  # Stop the LE container
+  docker stop "$le_container_name" > /dev/null
+}
+trap cleanup EXIT
+
+container_email="contact@${domains[0]}"
+acme_config_file="/etc/acme.sh/$container_email/${domains[0]}/${domains[0]}.conf"
+
+# Run a nginx container for ${domains[0]} with LETSENCRYPT_EMAIL set.
+run_nginx_container --hosts "${domains[0]}" \
+  --cli-args "--env LETSENCRYPT_EMAIL=${container_email}"
+
+# Wait for a symlink at /etc/nginx/certs/${domains[0]}.crt
+wait_for_symlink "${domains[0]}" "$le_container_name"
+
+acme_cert_create_time_key="Le_CertCreateTime="
+acme_renewal_days_key="Le_RenewalDays="
+acme_next_renew_time_key="Le_NextRenewTime="
+
+# Check if the default command is deliverd properly in /etc/acme.sh
+if docker exec "$le_container_name" [[ ! -f "$acme_config_file" ]]; then
+  echo "The $acme_config_file file does not exist."
+fi
+
+cert_create_time="$(docker exec "$le_container_name" grep "$acme_cert_create_time_key" "$acme_config_file" | cut -f2 -d\')"
+expected_renewal_days="${acme_renewal_days_key}'$default_renew'"
+expected_next_renew_time="${acme_next_renew_time_key}'$(($cert_create_time + $default_renew * 24 * 60 * 60 - 86400))'"
+actual_renewal_days="$(docker exec "$le_container_name" grep "$acme_renewal_days_key" "$acme_config_file")"
+actual_next_renew_time="$(docker exec "$le_container_name" grep "$acme_next_renew_time_key" "$acme_config_file")"
+
+if [[ "$expected_renewal_days" != "$actual_renewal_days" ]]; then
+  echo "Renewal days is not correct"
+fi
+if [[ "$expected_next_renew_time" != "$actual_next_renew_time" ]]; then
+  echo "Next renewal time is not correct"
+fi