Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check if domain is whitelisted before cert renewal #35

Merged
merged 2 commits into from
Jun 25, 2021
Merged

Check if domain is whitelisted before cert renewal #35

merged 2 commits into from
Jun 25, 2021

Conversation

kfigiela
Copy link
Contributor

I'd like to prevent renewals on domains that are no longer whitelisted. To implement this I've extracted whitelist check to the separate function and use this in update_cert.

Also, since I'm gonna use dynamic whitelist with some caching in the worker process, I'd like to bypass cache for lookups during renewal. I've added source argument to domain_whitelist_callback function.

@fffonion, do you have any thoughts on this?

This is somehow related to #15.

@fffonion
Copy link
Owner

fffonion commented Mar 9, 2021

@kfigiela I composed a reply but forgot to sent... I think overall it looks good, probably instead of source which is a string and may lead to typo, we can make it a bool (like skip_cache?) or enum.

@kfigiela
Copy link
Contributor Author

Sounds like a good suggestion, I'll refactor this. I'd like to keep semantics of is_new_cert_needed (so we'd like to skip cache or do extra checks) instead of plain skip_cache.

@fffonion
Copy link
Owner

fffonion commented Mar 10, 2021 via email

@fffonion fffonion merged commit 942c007 into fffonion:master Jun 25, 2021
@fffonion
Copy link
Owner

Don't know why i missed this PR for a long time... anyway it's merged, thanks you for the contribution @kfigiela !

bungle added a commit to Kong/kong that referenced this pull request Aug 4, 2021
@bungle
chore(deps) bump lua-resty-acme from ~> 0.6 to == 0.7.1
42eab02 
### Summary

#### bug fixes
- ***:** popup errors from lower functions [a19e9c8](fffonion/lua-resty-acme@a19e9c8)
- **autossl:** pass storage config to acme client ([#43](fffonion/lua-resty-acme#43)) [ef1e541](fffonion/lua-resty-acme@ef1e541)

#### features
- **autossl:** add challenge_start_delay [df4ba0b](fffonion/lua-resty-acme@df4ba0b)
- **autossl:** check if domain is whitelisted before cert renewal ([#35](fffonion/lua-resty-acme#35)) [942c007](fffonion/lua-resty-acme@942c007)
- **client:** add challenge_start_callback [1c9b2d5](fffonion/lua-resty-acme@1c9b2d5)
- **client:** allow to read "alternate" link and select preferred chain ([#42](fffonion/lua-resty-acme#42)) [ff17a74](fffonion/lua-resty-acme@ff17a74)
- **storage/vault:** add support for kubernetes auth ([#37](fffonion/lua-resty-acme#37)) [93c2121](fffonion/lua-resty-acme@93c2121)
@bungle bungle mentioned this pull request Aug 4, 2021
Merged
bungle added a commit to Kong/kong that referenced this pull request Aug 5, 2021
@bungle
chore(deps) bump lua-resty-acme from ~> 0.6 to == 0.7.1
91e33de 
### Summary

#### bug fixes
- ***:** popup errors from lower functions [a19e9c8](fffonion/lua-resty-acme@a19e9c8)
- **autossl:** pass storage config to acme client ([#43](fffonion/lua-resty-acme#43)) [ef1e541](fffonion/lua-resty-acme@ef1e541)

#### features
- **autossl:** add challenge_start_delay [df4ba0b](fffonion/lua-resty-acme@df4ba0b)
- **autossl:** check if domain is whitelisted before cert renewal ([#35](fffonion/lua-resty-acme#35)) [942c007](fffonion/lua-resty-acme@942c007)
- **client:** add challenge_start_callback [1c9b2d5](fffonion/lua-resty-acme@1c9b2d5)
- **client:** allow to read "alternate" link and select preferred chain ([#42](fffonion/lua-resty-acme#42)) [ff17a74](fffonion/lua-resty-acme@ff17a74)
- **storage/vault:** add support for kubernetes auth ([#37](fffonion/lua-resty-acme#37)) [93c2121](fffonion/lua-resty-acme@93c2121)
bungle added a commit to Kong/kong that referenced this pull request Aug 5, 2021
@bungle
chore(deps) bump lua-resty-acme from ~> 0.6 to == 0.7.1 (#7658)
dd119a6 
### Summary

#### bug fixes
- ***:** popup errors from lower functions [a19e9c8](fffonion/lua-resty-acme@a19e9c8)
- **autossl:** pass storage config to acme client ([#43](fffonion/lua-resty-acme#43)) [ef1e541](fffonion/lua-resty-acme@ef1e541)

#### features
- **autossl:** add challenge_start_delay [df4ba0b](fffonion/lua-resty-acme@df4ba0b)
- **autossl:** check if domain is whitelisted before cert renewal ([#35](fffonion/lua-resty-acme#35)) [942c007](fffonion/lua-resty-acme@942c007)
- **client:** add challenge_start_callback [1c9b2d5](fffonion/lua-resty-acme@1c9b2d5)
- **client:** allow to read "alternate" link and select preferred chain ([#42](fffonion/lua-resty-acme#42)) [ff17a74](fffonion/lua-resty-acme@ff17a74)
- **storage/vault:** add support for kubernetes auth ([#37](fffonion/lua-resty-acme#37)) [93c2121](fffonion/lua-resty-acme@93c2121)
fffonion pushed a commit that referenced this pull request Apr 8, 2022
@kfigiela @fffonion
feat(autossl) check if domain is whitelisted before cert renewal (#35)
74e8165
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kfigiela @fffonion