check if any certificate needs to be renewed

[leipert]

@travismiller was faster on automating the pages workflow, thank you! 🎉

On my local branch, I added a quick check, if certificate renewal is even needed at all.
High level workflow is like this

Only get a new certificate, if at least one of the pages given in the arguments:

1. is not registered yet
2. does not have a certificate
3. has an expired certificate
4. has an certificate expiring within X days (default 15)

$ ./index.js --domain xyz.leipert.io --domain leipert.io \
    --email xxx@yyy.io \
    --repository https://gitlab.com/leipert/leipert.gitlab.io \
    --path /public/.well-known/acme-challenge
All domains xyz.leipert.io, leipert.io have a valid certificate (expiration in more than 15 days)

[tmaier]

Great idea. Consider to increase the default to 31 days, as this fits better to the Pipeline Scheduling feature supported if #36 gets merged.

The updated README suggests to run the pipeline once per month. With a default of 15, the user would miss the renewal date.

[rolodato]

Thanks for the PR! I would make the following changes for consistency with certbot renew:

• Default expiration should be 30 days
• No option to configure a default expiration
• Add a --force-renewal option that bypasses the expiration check and renews anyway

[tmaier]

The reasons why I proposed 31 instead of 30 are

• some months have 31 days (with 30, they would not request a new certificate)
• you could come into a race condition where the previous build and validation step took longer than the current one (can be just a few minutes). In this case the the delta would be higher than 30 days and the renewal would be skipped

[leipert]

I have to say, that I agree with @rolodato on that one:

1. Consistency with certbot is a good idea.
2. if you run gitlab-le with a cronjob each day, it doesn't matter whether it's 30 or 31 days.

[leipert]

I updated the behavior as suggested. Additionally I made sure that the exit code is 0 if all certificates are valid

[leipert]

/ping @rolodato

[rolodato]

This should be phrased with plural instead:

Force renewal of certificates, even if they expire in more than 30 days.

[leipert]

Two issues with that:

1. --production also is in singular:

   Obtain a real certificate instead of a dummy one

2. Technically you only obtain one certificate per execution, right?

Should I still change the text?

[rolodato]

I don't think it's necessary to introduce this dependency, we can do a little date arithmetic instead :)

[leipert]

removed the dependency

[rolodato]

Can be repliaced by const EXPIRATION = ms('30 days') if we get rid of the moment dependency.

[leipert]

removed the dependency

[rolodato]

I would try to avoid this process.exit here - this file should only be used as a library for the main program (main.js). I think the better approach would be to refactor this file so the exported function (getCertificates) resolves successfully but with an empty array as a result, which means that everything went OK but no new certificates needed to be generated.

[rolodato]

This function should not care about option.domain, it should only care about the domain passed as a parameter. If we need to filter other domains it should be done at the call site instead of here.

[rolodato]

Can we avoid nesting these ifs so deeply? :)

[leipert]

@rolodato, I fixed all the issues you described in your review (except the singular/plural one).
For the process.exit change, I had to refactor a bit:

I moved registering of ACME account, certificate retrieval and certificate upload into a new function runACMEWorkflow.

[leipert]

Hey @rolodato,

I thought, I'd ping again ;)

[leipert]

@rolodato Ping ping :P