Mercurial Hosting > luan

changeset 2103:8c30779427ae ssltesting

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
first draft of renewing ssl in https.luan
author Violet7
date Tue, 16 Dec 2025 17:14:55 -0800
parents 3112b06ab447
children 9ba91823980e
files src/luan/host/Https.luan
diffstat 1 files changed, 57 insertions(+), 38 deletions(-) [+]
line wrap: on
line diff
--- a/src/luan/host/Https.luan	Tue Dec 16 16:53:43 2025 -0700
+++ b/src/luan/host/Https.luan	Tue Dec 16 17:14:55 2025 -0800
@@ -136,39 +136,8 @@
 					local s = uri("bash:"..cmd).read_text()
 					logger.info("create csr\n"..s)
 
-					-- Finally, get our cert from letsencrypt.
-					local cmd = luanhost_dir_str..[[/acme_tiny --account-key ]]..luanhost_dir_str..[[/local/tiny_account.key \
-						--csr ]]..csr_file_str..[[ \
-						--acme-dir ]]..files.acme_challenges.canonical().to_string()..[[ \
-					]]
-
-					-- TODO: this often doesn't work and I don't know if it's
-					-- because of this code or because of letsencrypt.
-					-- fix if broken.
-					if dry_run then
-						local dry_run_dir_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
-						cmd = cmd.." --directory-url "..dry_run_dir_url
-					end
-					local tmp_out_str = files.tmp_cert_out.canonical().to_string()
-					cmd = cmd.." > "..tmp_out_str
-					logger.info("acme-tiny commandline:\n"..cmd)
+					Issue_cert(domain, site_dir, luanhost_dir, dry_run, files)
 
-					local s = uri("bash:"..cmd).read_text()
-					logger.info("get cert signed by letsencrypt\n"..s)
-
-					-- Empty stdout from acme-tiny is a failure.
-					if files.tmp_cert_out.length() == 0 then
-						-- TODO: this should fail non-gracefully,
-						-- all failures here are almost certainly bugs.
-						logger.error("FAILED getting cert from letsencrypt.\nSee previous output.\nNot writing to fullchain.cer")
-					else
-						-- Success! Move the temp output to the real fullchain.
-						local local_cer_file_str = files.local_cer_file.canonical().to_string()
-
-						local cmd = "mv "..tmp_out_str.." "..local_cer_file_str
-						local s = uri("bash:"..cmd).read_text()
-						logger.info("move temp output to fullchain.cer\n"..s)
-					end
 
 				catch e
 					logger.error("Error setting up ACME: "..e)
@@ -202,8 +171,8 @@
 sudo $(which nginx) -t -c "<%=luanhost_dir_str%>/local/nginx.conf" && \
 sudo $(which nginx) -s reload -c "<%=luanhost_dir_str%>/local/nginx.conf";
 <%`
-		local s = uri("bash:"..cmd).read_text()
-		logger.info("reload_nginx "..s)
+	local s = uri("bash:"..cmd).read_text()
+	logger.info("reload_nginx "..s)
 	end
 	--logger.info "done"
 end
@@ -230,13 +199,63 @@
 end
 
 function Https.renew_ssl(renewal_period,domain,site_dir,luanhost_dir,dry_run)
-	local files = get_files(domain,site_dir)
-	files.csr_file.exists() or error "no CSR file"
+	files.csr_file.exists() or error "no CSR file, assuming local https cert"
 	if time_now() - files.csr_file.last_modified() < renewal_period then
-		sys_logger.info "not yet"
+		Issue_cert(domain, site_dir, luanhost_dir, dry_run, files)
 		return
 	end
-	sys_logger.info "not implemented"
+end
+
+function Issue_cert(domain, site_dir, luanhost_dir, dry_run, files)
+	local luanhost_dir_str = luanhost_dir.canonical().to_string()
+	local csr_file_str = files.csr_file_str.canonical().to_string()
+
+	-- Finally, get our cert from letsencrypt.
+	local cmd = luanhost_dir_str..[[/acme_tiny \
+		--account-key ]]..luanhost_dir_str..[[/local/tiny_account.key \
+		--csr ]]..csr_file_str..[[ \
+		--acme-dir ]]..files.acme_challenges.canonical().to_string()..[[ \
+	]]
+
+	-- Problems here are probably from letsencrypt
+	-- leaving this comment here in case its not
+	if dry_run then
+		local dry_run_dir_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
+		cmd = cmd.." --directory-url "..dry_run_dir_url
+	end
+
+	local tmp_out_str = files.tmp_cert_out.canonical().to_string()
+	cmd = cmd.." > "..tmp_out_str
+	logger.info("acme-tiny commandline:\n"..cmd)
+
+	local s = uri("bash:"..cmd).read_text()
+	logger.info("get cert signed by letsencrypt\n"..s)
+
+	-- Empty stdout from acme-tiny is a failure.
+	if files.tmp_cert_out.length() == 0 then
+		-- TODO: this should fail non-gracefully,
+		-- all failures here are almost certainly bugs.
+		logger.error("FAILED getting cert from letsencrypt.\nSee previous output.\nNot writing to fullchain.cer")
+	else
+		-- Success! Move the temp output to the real fullchain.
+		local local_cer_file_str = files.local_cer_file.canonical().to_string()
+		if files.local_cer_file_str.exists() then
+			local cmd = "mv "..local_cer_file_str.." "..local_cer_file_str..".old"
+			local s = uri("bash:"..cmd).read_text()
+			logger.info("moving old fullchain to fullchain.cer.old\n"..s)
+		end
+
+		local cmd = "mv "..tmp_out_str.." "..local_cer_file_str
+		local s = uri("bash:"..cmd).read_text()
+		logger.info("move temp output to fullchain.cer\n"..s)
+	end
+
+	local cmd = `%>
+sudo $(which nginx) -t -c "<%=luanhost_dir_str%>/local/nginx.conf" && \
+sudo $(which nginx) -s reload -c "<%=luanhost_dir_str%>/local/nginx.conf";
+<%`
+	local s = uri("bash:"..cmd).read_text()
+	logger.info("reload_nginx "..s)
 end
 
 return Https