Open davidlibrera opened 7 years ago
jalada
commented
7 years ago This is a good idea, thanks @davidlibrera, however rather than relying on ENV variables for configuration, why not use the Heroku platform API to check the existing certificate for expiry? https://github.com/jalada/platform-api/blob/master/schema.json#L10856
davidlibrera
commented
7 years ago Yeah, off course. I use directly env variables without think about ask to heroku 😸 . I change this ASAP
jalada
commented
7 years ago @davidlibrera is there any point still having a configurable expiry window? Certbot renews any certificate that expires within 30 days, I think we should just use the same default and leave it at that.
jalada
commented
7 years ago @davidlibrera rather than checking the certificate by hand, I meant using the Heroku API itself; does that make sense?
davidlibrera
commented
7 years ago @jalada I think that renew window is useless. Using certbot daemon it consider 30 days, so we can use that value.
davidlibrera
commented
7 years ago @jalada about checking the certificate by hand, I noticed that Platform-api json not provide expire_at value. Your fork of the gem do that. I simply prefered that way in order to not force using a different version of platform-api gem.
jalada
commented
7 years ago @davidlibrera it's already compulsory to use my fork of the gem until the upstream platform-api gem is updated, as per https://github.com/heroku/platform-api/issues/49 and https://github.com/heroku/platform-api/pull/56.
jalada
commented
7 years ago Do we need the ability to force a renewal?
davidlibrera
commented
7 years ago Yes, when I add a domain name to the heroku app. The new domain is not certified but without a force renew I can't generate a new one until the previous is due to expiring. Adding a new domain name is the ONLY reason I add that option
davidlibrera
commented
7 years ago @jalada about the use of the endpoint, OK! I fix that ASAP
jalada
commented
7 years ago @davidlibrera Ahh of course! That makes sense. In which case I suggest we swap the behaviour round. Instead of adding a --force option, let's add an --auto option which enables this new behaviour.
That way, this is a backwards compatible change, rather than a breaking change forcing everyone to redo their scheduled tasks.
Does that make sense?
I copy the behaviour from certbot service. Running the service with --keep-until-expire that renew the certificate only if it is due to expire. Now it is possible to run the script daily.