Hey Nick,
Some delay due to a surgery...
Have the third implementation already running a couple of weeks on my RPI, and had no issues yet...
The settings.js file now looks like this:
// The following property can be used to enable HTTPS
// See http://nodejs.org/api/https.html#https_https_createserver_options_requestlistener
// for details on its contents.
// See the comment at the top of this file on how to load the `fs` module used by this setting.
//https: {
// key: fs.readFileSync('privkey.pem'),
// cert: fs.readFileSync('cert.pem')
//},
// This 'https' property can also be a function. For example for automatic certificate renewal
// (see the 'credentialRenewalTime' property below), this property needs to be a function:
//https: function() {
// return {
// key: fs.readFileSync('privkey.pem'),
// cert: fs.readFileSync('cert.pem')
// }
//},
// The following property can be used to load renewed credential files at regular time intervals (seconds).
// Prerequisite: the 'https' session should be enabled (based on a function)!
// Caution: NodeJs version 11 or above is required to use this option!
//credentialRenewalTime: 3600,
When the 'credentialRenewalTime' is activated, the 'https' property MUST be a function. Otherwise the OLD file contents (cached by 'require') will be reused over and over again. I think that some users might forget about this, and will not understand why the certificate isn't renewed in their browser. Therefore I have decided to let the renewal fail (with console log) in that case, to minimize the risc for such mistakes:
And the red.js file now looks like this:
if (settings.https) {
var startupHttps = settings.https;
if (typeof startupHttps === "function") {
// Get the result of the function, because createServer doesn't accept functions as input
startupHttps = startupHttps();
}
server = https.createServer(startupHttps,function(req,res) {app(req,res);});
// Setup automatic certificate renewal for NodeJs version 11 and above
if (settings.credentialRenewalTime) {
if (server.setSecureContext) {
console.log("Checking renewed credentials every " + parseInt(settings.credentialRenewalTime) + " seconds.");
setInterval(function () {
try {
//console.log("Checking for renewed credentials.");
var renewedHttps = settings.https;
if (typeof renewedHttps !== "function") {
console.log("Cannot renew credentials when the https property isn't a function.");
return;
}
// Get the result of the function, because createServer doesn't accept functions as input
renewedHttps = renewedHttps();
if (!renewedHttps.key || !renewedHttps.cert) {
console.log("Cannot renew credentials when the https property function doesn't return a 'key' and 'cert'.");
return;
}
// Only update the credentials in the server when key or cert has changed
if(!server.key || !server.cert || !server.key.equals(renewedHttps.key) || !server.cert.equals(renewedHttps.cert)) {
server.setSecureContext(renewedHttps);
console.log("The credentials have been renewed.");
}
} catch(err) {
console.log("Cannot renew the credentials: " + err);
}
}, parseInt(settings.credentialRenewalTime) * 1000);
} else {
console.log("Cannot renew credentials automatically. NodeJs version 11 or above is required.");
}
}
} else {
server = http.createServer(function(req,res) {app(req,res);});
}
Don't think there is any impact on the mechanism as is today: as long as the 'https' function isn't a function and the 'credentialRenewalTime' isn't activated, it should run like it used to do in the past...
I have added a check to make sure the file contents have changed, before loading them into the webserver. Just to be sure that we don't have any impact on the running server when the file contents haven't been renewed. That way it is even safe to set the 'credentialRenewalTime' property to run much more often, if that should be required for some use case ...
Hopefully this implementation finally fits the "clean API" test?
Thanks for reviewing!
Bart
