Check if domain is whitelisted before cert renewal

README.md

@@ -148,7 +148,7 @@ domain_whitelist = { "domain1.com", "domain2.com", "domain3.com" },
 To match a pattern in your domain name, for example all subdomains under `example.com`, use:
 
 ```lua
-domain_whitelist_callback = function(domain)
+domain_whitelist_callback = function(domain, is_new_cert_needed)
     return ngx.re.match(domain, [[\.example\.com$]], "jo")
 end
 ```
@@ -158,7 +158,7 @@ It's possible to use cosocket API here. Do note that this will increase the SSL
 latency.
 
 ```lua
-domain_whitelist_callback = function(domain)
+domain_whitelist_callback = function(domain, is_new_cert_needed)
     -- send HTTP request
     local http = require("resty.http")
     local res, err = httpc:request_uri("http://example.com")
@@ -169,6 +169,8 @@ domain_whitelist_callback = function(domain)
 end}),
 ```
 
+`domain_whitelist_callback` function is provided with a second argument,
+which indicates whether the certificate is about to be served on incoming HTTP request (false) or new certificate is about to be requested (true). This allows to use cached values on hot path (serving requests) while fetching fresh data from storage for new certificates. One may also implement different logic, e.g. do extra checks before requesting new cert.
 
 ## tls-alpn-01 challenge
 
@@ -300,7 +302,7 @@ All normal https traffic listens on `unix:/tmp/nginx-default.sock`.
 
 ```
                                                 [stream server unix:/tmp/nginx-tls-alpn.sock ssl]
-                                            Y / 
+                                            Y /
 [stream server 443] --- ALPN is acme-tls ?
                                             N \
                                                 [http server unix:/tmp/nginx-default.sock ssl]

lib/resty/acme/autossl.lua

@@ -209,6 +209,10 @@ function AUTOSSL.update_cert(data)
     AUTOSSL.client_initialized = true
   end
 
+  if not AUTOSSL.is_domain_whitelisted(data.domain, true) then
+    return "cert update is not allowed for domain " .. data.domain
+  end
+
   -- Note that we lock regardless of key types
   -- Let's encrypt tends to have a (undocumented?) behaviour that if
   -- you submit an order with different CSR while the previous order is still pending
@@ -260,7 +264,7 @@ function AUTOSSL.check_renew()
       })
 
       if err then
-        log(ngx_ERR, "failed to renew certificate for domain ", domain)
+        log(ngx_ERR, "failed to renew certificate for domain ", domain, " error: ", err)
       else
         log(ngx_INFO, "successfully renewed ", deserialized.type, " cert for domain ", domain)
       end
@@ -380,6 +384,15 @@ function AUTOSSL.serve_tls_alpn_challenge()
   AUTOSSL.client:serve_tls_alpn_challenge()
 end
 
+function AUTOSSL.is_domain_whitelisted(domain, is_new_cert_needed)
+  if domain_whitelist_callback then
+    return domain_whitelist_callback(domain, is_new_cert_needed)
+  elseif domain_whitelist then
+    return domain_whitelist[domain]
+  else
+    return true
+  end
+end
 
 function AUTOSSL.ssl_certificate()
   local domain, err = ssl.server_name()
@@ -391,10 +404,7 @@ function AUTOSSL.ssl_certificate()
 
   domain = string.lower(domain)
 
-  if domain_whitelist_callback and not domain_whitelist_callback(domain) then
-    log(ngx_INFO, "domain ", domain, " does not pass whitelist_callback, skipping")
-    return
-  elseif domain_whitelist and not domain_whitelist[domain] then
+  if not AUTOSSL.is_domain_whitelisted(domain, false) then
     log(ngx_INFO, "domain ", domain, " not in whitelist, skipping")
     return
   end