From 972dd4d4be5d3b9be6328680487feef90772dfad Mon Sep 17 00:00:00 2001 From: Danilo Bargen Date: Fri, 29 May 2020 01:14:10 +0200 Subject: [PATCH 1/2] Log certificate domains before and after renewal Right now only the id is logged as a prefix (e.g. crt-3), so it's not possible to easily determine *which* certificate was renewed, or failed to renew. --- acmed/src/acme_proto.rs | 2 +- acmed/src/certificate.rs | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/acmed/src/acme_proto.rs b/acmed/src/acme_proto.rs index 6e98341..f0d2155 100644 --- a/acmed/src/acme_proto.rs +++ b/acmed/src/acme_proto.rs @@ -210,6 +210,6 @@ pub fn request_certificate(cert: &Certificate, root_certs: &[String]) -> Result< let (crt, _) = http::get_certificate(cert, root_certs, &crt_url, &data_builder, &nonce)?; storage::write_certificate(cert, &crt.as_bytes())?; - cert.info("Certificate renewed"); + cert.info(&format!("Certificate renewed (domains: {})", cert.domain_list())); Ok(()) } diff --git a/acmed/src/certificate.rs b/acmed/src/certificate.rs index b871100..4ea6089 100644 --- a/acmed/src/certificate.rs +++ b/acmed/src/certificate.rs @@ -105,7 +105,7 @@ impl Certificate { fn is_expiring(&self, cert: &X509Certificate) -> Result { let expires_in = cert.expires_in()?; - self.debug(&format!("expires in {} days", expires_in.as_secs() / 86400)); + self.debug(&format!("Certificate expires in {} days", expires_in.as_secs() / 86400)); // TODO: allow a custom duration (using time-parse ?) // 1814400 is 3 weeks (3 * 7 * 24 * 60 * 60) let renewal_time = Duration::new(1_814_400, 0); @@ -134,7 +134,17 @@ impl Certificate { has_miss } + /// Return a comma-separated list of the domains this certificate is valid for. + pub fn domain_list(&self) -> String { + self.domains + .iter() + .map(|domain| &*domain.dns) + .collect::>() + .join(",") + } + pub fn should_renew(&self) -> Result { + self.debug(&format!("Checking for renewal (domains: {})", self.domain_list())); if !certificate_files_exists(&self) { self.debug("certificate does not exist: requesting one"); return Ok(true); From 3e49c938ea059555974cc822d7ec25cc5cfbbb23 Mon Sep 17 00:00:00 2001 From: Danilo Bargen Date: Fri, 29 May 2020 01:29:09 +0200 Subject: [PATCH 2/2] Remove trailing period from logs Some logs contain a trailing period, some don't. Since they don't add any information, I removed them for more consistency. --- acmed/src/acme_proto/account.rs | 6 ++---- acmed/src/certificate.rs | 4 ++-- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/acmed/src/acme_proto/account.rs b/acmed/src/acme_proto/account.rs index 4068264..9752657 100644 --- a/acmed/src/acme_proto/account.rs +++ b/acmed/src/acme_proto/account.rs @@ -50,13 +50,11 @@ pub fn init_account(cert: &Certificate) -> Result<(), Error> { let sign_alg = SignatureAlgorithm::from_str(crate::DEFAULT_JWS_SIGN_ALGO)?; let key_pair = sign_alg.gen_key_pair()?; storage::set_account_keypair(cert, &key_pair)?; - let msg = format!("Account {} created.", &cert.account.name); - cert.info(&msg) + cert.info(&format!("Account {} created", &cert.account.name)); } else { // TODO: check if the keys are suitable for the specified signature algorithm // and, if not, initiate a key rollover. - let msg = format!("Account {} already exists.", &cert.account.name); - cert.debug(&msg) + cert.debug(&format!("Account {} already exists", &cert.account.name)); } Ok(()) } diff --git a/acmed/src/certificate.rs b/acmed/src/certificate.rs index 4ea6089..4991427 100644 --- a/acmed/src/certificate.rs +++ b/acmed/src/certificate.rs @@ -155,9 +155,9 @@ impl Certificate { let renew = renew || self.is_expiring(&cert)?; if renew { - self.debug("The certificate will be renewed now."); + self.debug("The certificate will be renewed now"); } else { - self.debug("The certificate will not be renewed now."); + self.debug("The certificate will not be renewed now"); } Ok(renew) }