Syntax: acme-nginx -d domain --renew-days 30

- Parameter name changed - Now the certificate is out of date if it is not yet valid or the expiration time minus of renew-days is reached
kshcherban · Aug 6, 2020 · 111ee03 · 111ee03
1 parent 0742a9a
commit 111ee03
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 9 deletions.
diff --git a/acme_nginx/Acme.py b/acme_nginx/Acme.py
@@ -33,7 +33,7 @@ def __init__(
             cert_path='/etc/ssl/private/letsencrypt-domain.pem',
             dns_provider=None,
             skip_nginx_reload=False,
-            update_date_threshold_days=None,
+            renew_days=None,
             debug=False):
         """
         Params:
@@ -62,15 +62,22 @@ def __init__(
         self.chain = "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem"
         self.dns_provider = dns_provider
         self.skip_nginx_reload = skip_nginx_reload
-        self.update_date_threshold_days = update_date_threshold_days
+        self.renew_days = renew_days
 
         self.IsOutOfDate = True
-        if self.update_date_threshold_days:
+        if self.renew_days:
             try:
-                certTime = datetime.fromtimestamp(os.path.getmtime(self.cert_path))
-                certTimeThreshold = certTime + timedelta(days=self.update_date_threshold_days)
+                cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, open(self.cert_path).read())
+                date_format, encoding = "%Y%m%d%H%M%SZ", "ascii"
+                not_before = datetime.strptime(cert.get_notBefore().decode(encoding), date_format)
+                not_after = datetime.strptime(cert.get_notAfter().decode(encoding), date_format)
+                now = datetime.now()
+                #self.log.info( 'x509: {0} {1} {2}'.format(cert, not_before, not_after) )
+                #certTime = datetime.fromtimestamp(os.path.getmtime(self.cert_path))
+                #certTimeThreshold = certTime + timedelta(days=self.renew_days)
+                certTimeThreshold = not_after - timedelta(days=self.renew_days)
 
-                self.IsOutOfDate = (certTimeThreshold < datetime.now())
+                self.IsOutOfDate = (not_before > now) or (not_after < now) or (certTimeThreshold < now)
                 self.log.info('Cert file {1} (expiration time {0})'.format( certTimeThreshold, "is out of date" if self.IsOutOfDate else "is not out of date"))      
 
             except OSError as e:

diff --git a/acme_nginx/client.py b/acme_nginx/client.py
@@ -75,8 +75,8 @@ def set_arguments():
             action='store_true',
             help="don't reload nginx after certificate signing")
     parser.add_argument(
-            '--out-of-date-update-threshold-days',
-            dest='update_date_threshold_days',
+            '--renew-days',
+            dest='renew_days',
             type=int,
             help="expiration threshold in days")
     return parser.parse_args()
@@ -113,7 +113,7 @@ def main():
         debug=args.debug,
         dns_provider=args.dns_provider,
         skip_nginx_reload=args.skip_reload,
-        update_date_threshold_days = args.update_date_threshold_days
+        renew_days=args.renew_days
     )
     if acme.IsOutOfDate:
         acme.get_certificate()