Skip to content
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions internal/ssl/manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -184,10 +184,14 @@ func (m *Manager) RenewCertificate(domain string) (*RenewalResult, error) {
return nil, fmt.Errorf("certificate for domain %q not found", domain)
}

// A user clicking Renew on one certificate wants it renewed now, not "only if
// within certbot's ~30-day auto-renew window". Without --force-renewal, certbot
// skips a not-yet-due cert and exits 0, so the action silently does nothing.
output, err := m.executeCertbot([]string{
"renew",
"--non-interactive",
"--cert-name", domain,
"--force-renewal",
})
if err != nil {
return nil, fmt.Errorf("renewal failed for %s: %s - %w", domain, string(output), err)
Expand Down
6 changes: 4 additions & 2 deletions internal/ssl/renewal_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -91,20 +91,22 @@ func TestRenewCertificate_PassesCertName(t *testing.T) {
}

args := mock.calls[0].args
var hasRenew, hasNonInteractive, hasCertName bool
var hasRenew, hasNonInteractive, hasCertName, hasForce bool
for i, arg := range args {
switch arg {
case "renew":
hasRenew = true
case "--non-interactive":
hasNonInteractive = true
case "--force-renewal":
hasForce = true
case "--cert-name":
if i+1 < len(args) && args[i+1] == "example.com" {
hasCertName = true
}
}
}
if !hasRenew || !hasNonInteractive || !hasCertName {
if !hasRenew || !hasNonInteractive || !hasCertName || !hasForce {
t.Errorf("unexpected certbot args: %v", args)
}
}
Expand Down
12 changes: 10 additions & 2 deletions templates/infra/nginx/nginx.conf
Original file line number Diff line number Diff line change
Expand Up @@ -14,22 +14,30 @@ http {
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /dev/stdout main;
access_log /dev/stdout main buffer=32k flush=5s;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
keepalive_requests 1000;
types_hash_max_size 2048;
server_names_hash_bucket_size 128;
server_names_hash_max_size 2048;

proxy_http_version 1.1;
proxy_buffering on;
proxy_buffer_size 8k;
proxy_buffers 16 8k;
proxy_busy_buffers_size 16k;

# Gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
gzip_min_length 1024;
gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml application/rss+xml application/atom+xml application/wasm application/manifest+json font/woff font/woff2 image/svg+xml;

# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
Expand Down
13 changes: 11 additions & 2 deletions templates/infra/nginx/nginx.lua.conf
Original file line number Diff line number Diff line change
Expand Up @@ -14,22 +14,31 @@ http {
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /dev/stdout main;
access_log /dev/stdout main buffer=32k flush=5s;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
keepalive_requests 1000;
types_hash_max_size 2048;
server_names_hash_bucket_size 128;
server_names_hash_max_size 2048;

# HTTP/1.1 to upstreams on every proxied location, not just the primary route.
proxy_http_version 1.1;
proxy_buffering on;
proxy_buffer_size 8k;
proxy_buffers 16 8k;
proxy_busy_buffers_size 16k;

# Gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
gzip_min_length 1024;
gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml application/rss+xml application/atom+xml application/wasm application/manifest+json font/woff font/woff2 image/svg+xml;

# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
Expand Down
Loading